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Figure  1:  A  list  of  major  FHE  schemes.  All  encryption  schemes  arc  leveled  FHE  schemes, 
namely  they  support  evaluation  of  circuits  of  a-priori  bounded  depth.  They  can  be  generically 
con- verted  into  a  pure  FHE  using  Gentry’s  bootstrapping  method  [Gen09],  assuming  that  the 
underlying  leveled  FHE  scheme  is  circular  secure.  The  rows  in  gray  represent  contributions  from 
our  team.  SSS  denotes  the  sparse  subset  sum  assumption,  BDD  the  bounded  distance  decoding 
assumption,  GCD  is  greatest  common  divisors,  LWE  is  learning  with  errors  and 
NTRU  is  the  N-th  order  truncated  ring  encryption  scheme .  6 


Figure  2:  Attribute -based.  Predicate  and  Functional  Encryption  Schemes.  The  first  six  rows  arc 
ABE,  the  next  two  PE  and  the  rest  are  FE  schemes.  The  rows  in  gray  represent  contributions  from 
our  team .  11 


Summary 


This  report  describes  the  results  we  obtained  as  a  result  of  our  project  “Computing  on  Encrypted  Data: 
Theory  and  Applications”  as  part  of  the  DARPA  PROCEED  program.  Our  results  form  a  strong  theoretical 
foundation  of  the  science  of  computing  on  encrypted  data. 

A  major  outcome  of  our  project  was  the  invention  of  the  second  generation  FHE  schemes  which  gave 
us  several  simple  and  efficient  FHE  schemes  based  on  standard  cryptographic  hardness  a  ssumptions.  Our 
solutions  [BV 1  la,  BGV 12,  LTV  12]  form  the  state  of  the  art  in  fully  homomorphic  encryption,  and  formed 
the  backbone  of  homomorphic  encryption  implementations  in  the  PROCEED  program.  In  addition,  they 
have  also  been  implemented  as  part  of  the  open  source  homomorphic  encryption  library  HELib. 

Going  forward,  we  developed  new  cryptographic  primitives  that  achieve  the  dual  goals  of  supporting 
sophisticated  functionalities  while  admitting  efficient  and  practical  constructions,  including  the  first  general- 
purpose  attribute -based  encryption  [GVW13],  reusable  garbled  circuits  [GKP+ 13]  and  several  types  of  func¬ 
tional  encryption  [GVW12,  GVW15]  schemes.  Our  project  also  contributed  to  the  development  of  novel 
secure  multi-party  computation  solutions. 
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Introduction 


We  live  in  a  world  where  information  and  computation  is  at  our  fingertips,  but  also  a  world  where  our  per¬ 
sonal  data  is  stored  and  processed  in  highly  adversarial  environments.  While  we  now  have  cryptographic 
methods  such  as  public-key  encryption,  digital  signatures  and  secure  protocols  that  form  the  basis  of  secure 
electronic  transactions,  traditional  cryptography  is  inadequate  to  handle  the  challenges  posed  by  modern 
technologies.  In  particular,  the  emerging  paradigm  of  cloud  computing  lets  us  outsource  storage  and  com¬ 
putation  to  powerful  third-party  servers,  but  raises  serious  privacy  concerns.  Of  course,  encrypting  the  data 
we  hand  over  to  the  cloud  protects  its  privacy,  but  how  then  can  the  cloud  compute  on  the  encrypted  data? 

The  answer  lies  in  fully  homomorphic  encryption  (FHE),  a  special  type  of  encryption  system  where  one 
can  perform  arbitrarily  complex  computations  on  encrypted  data  without  ever  decrypting  it.  Long  considered 
the  unattainable  holy  grail  of  cryptography,  this  primitive  was  recently  realized  in  the  ground-breaking  work 
of  Craig  Gentry  in  2009.  Unfortunately,  Gentry’s  construction  suffers  from  inherent  limitations  in  efficiency, 
was  considered  impractical  and  raised  widespread  speculation  that  computing  on  encrypted  data  might  never 
see  the  light  of  day. 

A  major  outcome  of  our  project  has  been  the  invention  of  the  second  generation  FHE  schemes  which 
gave  us  several  simple  and  efficient  FHE  schemes  based  on  standard  cryptographic  hardness  assump¬ 
tions.  Our  solutions  [BVlla,  BGV12,  LTV12]  form  the  state  of  the  art  in  fully  homomoiphic  encryption, 
and  formed  the  backbone  of  homomorphic  encryption  implementations  in  the  PROCEED  program.  In  ad¬ 
dition,  they  have  also  been  implemented  as  part  of  the  open  source  homomorphic  encryption  library  HELib. 

Going  forward,  we  developed  new  cryptographic  primitives  that  achieve  the  dual  goals  of  supporting  so¬ 
phisticated  functionalities  while  admitting  efficient  and  practical  c  onstructions.  While  fully  homomorphic 
encryption  permits  any  computation  on  encrypted  data,  we  would  like  to  provide  fine-grained  control  over 
what  types  of  functions  can  be  computed.  This  ability  comes  in  handy  in  a  number  of  scenarios,  such  as 
ensuring  the  correctness  of  outsourced  computations.  We  constructed  the  first  general-purpose  attribute- 
based  encryption  [GVW13],  reusable  garbled  circuits  [GKP+13]  and  several  types  of  functional  en¬ 
cryption  [GVW12,  GVW15]  schemes  that  address  these  issues. 

Our  project  also  contributed  to  the  development  of  novel  secure  multi-party  computation  solutions. 
Multiparty  computation  is  a  notion  that  was  introduced  and  studied  in  cryptography  from  the  1980s  [Yao86, 
GMW87,  BGW88],  and  provides  a  generally  more  efficient,  but  interactive,  alternative  to  the  problem  of 
computing  on  encrypted  data.  We  developed  several  communication-local  MPC  protocols  that  handle  a  very 
large  number  of  users,  and  in  addition,  withstand  leakage  of  the  internal  states  of  99%  of  the  participants. 

Our  results  form  a  strong  theoretical  foundation  of  the  science  of  computing  on  encrypted  data,  powerful 
enough  to  address  the  new  and  emerging  challenges.  We  now  proceed  to  describe  our  results  in  detail. 
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Methods,  Assumptions  and  Procedures 

Our  methods  are  largely  algorithmic.  Meaning,  we  construct  algorithms  (sometimes  interactive  algorithms, 
which  we  call  protocols)  that  solve  several  cryptographic  problems  and  provide  formal  security  proofs  under 
well-defined  and  well-studied  computational  hardness  assumptions.  We  now  state  our  assumptions,  together 
with  some  mathematical  preliminaries  below. 

Lattices  and  lattice  problems.  A  lattice  is  a  discrete  additive  subgroup  of  Mn.  A  lattice  can  be  charac¬ 
terized  as  the  integer  span  of  basis  vectors,  usually  denoted  as  a  matrix  B  E  Wixti  (l  is  the  rank  of  the 
lattice,  for  simplicity  we  assume  that  l  =  n,  but  all  definitions  carry  over  to  the  general  case).  The  mini¬ 
mum  distance  between  two  lattice  points  is  equal  to  the  length  of  the  shortest  nonzero  lattice  point  and  is 
denoted  by  Ai  =  Ai(B)  (many  norms  can  be  considered,  most  commonly  ('2).  The  shortest  vector  problem 
SVP7(B)  is  to  find  a  lattice  vector  of  length  at  most  7  •  Ai  given  B.  The  decision  version  GapSVP7(B,  d) 
is  the  promise  problem  which  accepts  if  Ai  <  d  and  rejects  if  Ai  >7  ■  d.  The  closest  vector  problem 
CVP7(B,  t)  is  to  find  the  closest  lattice  vector  to  the  target  t,  up  to  an  approximation  factor  7.  The  decision 
version  GapCVP7(B,  t,  d)  is  defined  analogously.  The  parameter  7  =  7 (n)  is  called  the  approximation 
factor,  and  controls  the  hardness  of  GapSVP.  (increasing  7  makes  it  easier).  It  was  known  early  on  that 
when  7  =  0(1),  GapSVP7  is  NP-complete,  while  when  7  =  2n,  it  is  solvable  in  polynomial  time.  Ajtai’s 
original  work  on  lattice  cryptography  gave  a  one-way  function  based  on  the  hardness  of  GapSVP.  when 
7  =  poly(n). 

An  ideal  lattice  is  a  lattice  that  is  defined  by  an  embedding  into  Mn  of  an  ideal  in  the  ring  of  integers  of 
some  number  field. 

Learning  with  Errors  (LWE).  The  problem  is  defined  with  respect  to  parameters  q,  n,  x  (some  variants 
require  additional  parameters).  Let  7Lq  be  the  ring  of  integers  modulo  q  and  let  x  be  a  distribution  over 
Jjq  (referred  to  as  the  noise  distribution).  The  parameter  n  E  N  is  the  dimension  of  the  problem.  For  all 
s  E  Z"  consider  the  oracle  As  x  that  for  every  call  returns  (a,  b )  where  a  E  Z”  is  uniformly  distributed  and 
b  =  (a,  s)  +  e  (mod  q),  where  e  is  drawn  from  7. 

The  search  LWE  problem  LWE„j(?iX  is  to  retrieve  a  uniformly  distributed  s  given  oracle  access  to  ASiX. 
The  decision  LWE  problem  DLWEn.?.x  is  to  distinguish  between  oracle  access  to  ASjX  (for  a  uniformly 
distributed  s)  and  oracle  access  to  a  random  oracle  O  that  on  every  call  returns  a  uniform  element  in  Z™  x  Z q. 

The  hardness  of  solving  search  LWE  with  discrete  gaussian  noise  distribution  has  been  shown  to  be 
related  to  the  hardness  of  GapSVP7  via  quantum  [Reg05]  and  classical  [Pei09]  reductions.  The  classical 

reduction  results  in  a  worse  parameter  7  and  as  is,  it  is  only  applicable  to  q  sa  2n.  Search  to  decision 
connections  are  known  for  many  values  of  q. 
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Ring  Learning  with  Errors  (Ring  LWE).  The  ring  learning  with  errors  (RLWE)  problem  was  introduced 
by  Lyubashevsky,  Peikert  and  Regev.  Here,  let  R  denote  the  ring  of  integers  of  a  number  field,  namely 
R  =  Z[x]//(x)  for  some  cyclotomic  f(x).  For  all  s  G  Rq  :=  R/qR  consider  the  oracle  As>x  that  for  every 
call  returns  (a,  b)  where  a  G  Rq  is  uniformly  distributed  and  b  =  a  •  s  +  e  (over  Rq),  where  e  is  drawn 
from  x  (here,  x  is  a  distribution  over  the  ring  of  integers  of  the  number  field  R). 

The  scarcli  Ring  LWE  problem  RLWEn  (?  x  is  to  retrieve  a  uniformly  distributed  s  given  oracle  access 
to  AS)X.  The  decision  Ring  LWE  problem  DLWE„,,/  X  is  to  distinguish  between  oracle  access  to  Asa  (for  a 
uniformly  distributed  s)  and  oracle  access  to  a  random  oracle  O  that  on  every  call  returns  a  uniform  element 

in  Z”  x  Zq. 
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Results  and  Discussion 

4.1  Results:  Fully  Homomorphic  Encryption 

The  evolution  of  fully  homomorphic  encrytion  schemes  can  be  roughly  partitioned  into  three  generations. 

First  Generation.  The  first  g  eneration  off  ully  h  omomorphic  e  ncryption  ( FHE)  s  tarted  w  ith  t  he  break¬ 
through  work  of  Gentry  [Gen09]  and  was  followed  by  several  simplications  [vDGHVIO,  SV09,  BVllb]. 
This  sequence  of  works  had  two  major  disadvantages.  First,  they  had  extremely  large  key-sizes  and  ex¬ 
tremely  slow  algorithms.  Secondly,  the  security  of  these  schemes  were  based  on  complex,  little-studied 
assumptions.  We  believe  that  these  two  issues  are  correlated:  indeed,  the  schemes  relied  on  complex  hard¬ 
ness  assumptions  because  we  lacked  a  fundamental  understanding  of  the  basis  for  their  security.  In  turn,  this 
caused  us  to  add  on  “band-aids”  that  had  negative  effects  on  efficiency. 

Second  Generation.  A  major  contribution  of  our  project  was  the  invention  of  the  second  generation  of 
fully  homomorphic  encryption,  in  a  sequence  of  papers  [BV  11a,  BGV12]  which  we  describe  in  detail  below. 
These  works  not  only  constructed  (leveled)  FHE  schemes  from  standard  computational  assumptions,  but 
also  offered  orders  of  magnitude  better  efficiency.  These  schemes  were  quickly  built  upon,  most  notably 
in  a  sequence  of  works  by  Gentry,  Halevi  and  Smart  [GHS 1 2a,  GHS 1 2b]  who  showed  powerful  techniques 
for  “SIMD”  evaluation,  namely  methods  to  pack  many  inputs  into  one  ciphertext  and  to  homomorphically 
evaluate  on  them  in  parallel. 

A  leveled  FHE  is  one  which  can  evaluate  circuit  of  a-priori  bounded  polynomial  depth.  One  can  convert 
any  leveled  FHE  scheme  into  a  pure  FHE  scheme  that  can  evaluate  arbitrary  circuits,  using  Gentry’s  boot¬ 
strapping  theorem  [Gen09].  This  involves  making  an  additional  hardness  assumption,  namely  the  “circular 
security”  of  the  leveled  HE  scheme.  We  refer  the  reader  to  [BV  11a]  for  more  details. 

Third  Generation.  Finally,  a  third  generation  of  (leveled)  FHE  schemes  emerged  with  the  work  of  Gentry, 
Sahai  and  Waters  [GSW13],  Even  simpler  to  describe  than  the  second  generation  FHE  schemes,  these 
were  extended  in  our  work  [BV14]  to  result  in  FHE  schemes  that  relied  on  the  worst-case  hardness  of 
approximating  shortest  vectors  to  within  polynomial  factors,  or  equivalently,  the  hardness  of  LWE  with  a 
polynomial  modulus.  These  schemes  enjoy  a  very  slow  noise  growth,  and  hence  result  in  better  parameters. 
There  have  since  been  several  extensions  of  these  schemes  [AP14,  DM15], 
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Scheme 

Assumption 

Note 

[Gen09] 

av-case  ideal-BDD  and  SSS 

[SV09] 

av-case  principal-ideal-BDD  and  SSS 

Improved  efficiency  of  [Gen09] 

[vDGHVIO] 

av-case  approximate  GCD  and  SSS 

simple  to  describe 

[BVllb] 

Ring-LWE  and  SSS 

[BVlla] 

(sub-exponential)  LWE 

efficient  instantiation  from  Ring-LWE 
introduced  dimension/modulus  switching 

[GH11] 

av-case  ideal-BDD 

[BGV12] 

(super-polynomial)  LWE 

efficient  instantiation  from  Ring-LWE 

[Bra  12] 

(super-polynomial)  LWE 

efficient  instantiation  from  Ring-LWE 

[LTV  12] 

NTRU  assumption 

also  multi-key  HE 

[GHS12a, 

GHS12b] 

Ring  LWE 

SIMD  and  polylog  overhead  HE 

[BLLN13] 

NTRU  =  Ring-LWE 

based  [LTV  12]  on  Ring  LWE 

[GSW13] 

(super-polynomial)  LWE 

efficient  instantiation  from  Ring-LWE 

[BV14] 

(polynomial)  LWE 

efficient  instantiation  from  Ring-LWE 

[API  4] 

(polynomial)  LWE 

efficient  instantiation  from  Ring-LWE 

Figure  1:  A  list  of  major  FF1E  schemes.  All  encryption  schemes  are  leveled  FHE  schemes,  namely  they 
support  evaluation  of  circuits  of  a-priori  bounded  depth.  They  can  be  generically  converted  into  a  pure 
FHE  using  Gentry’s  bootstrapping  method  [Gen09],  assuming  that  the  underlying  leveled  FHE  scheme  is 
circular  secure.  The  rows  in  gray  represent  contributions  from  our  team.  SSS  denotes  the  sparse  subset  sum 
assumption,  BDD  the  bounded  distance  decoding  assumption,  GCD  is  greatest  common  divisors,  LWE  is 
learning  with  errors  and  NTRU  is  the  N-th  order  truncated  ring  encryption  scheme. 
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4.1.1  Second  Generation  FHE:  Simpler,  Faster,  Stronger 

We  describe  here  the  sequence  of  works  [BVlla,  BGV12].  The  first  of  these  works  with  Brakerski  and 
Vaikuntanathan  [BVlla],  for  the  first  time,  showed  how  to  construct  a  leveled  homomorphic  encryption 
scheme  solely  under  the  learning  with  errors  (LWE)  assumption.  All  previous  constructions  were  natively 
able  to  evaluate  circuits  of  depth  0(log  n)  where  n  is  the  security  parameter,  and  extending  these  into  fully 
homomorphic  schemes  required  making  additional  assumptions. 

The  starting  point  of  our  construction  is  Regev’s  encryption  scheme  in  which  the  ciphertext  encrypting 
a  bit  m  G  {0, 1}  is  of  the  form 

(a,  (a,  s)  +  e  +  m[q/ 2j) 

where  a  £  Z™  is  a  uniformly  random  vector,  s  £  Z"  is  the  secret  key,  and  e  x  is  a  “small”  error  term 
drawn  from  an  error  distribution  x  (typically  a  discrete  Gaussian  distribution).  All  computations  here  are 
performed  mod  q.  It  is  not  hard  to  see  that  this  scheme  is,  by  itself,  additively  homomorphic.1  Our  main 
contribution  is  to  show  how  to  do  homomorphic  multiplication.  In  particular,  our  HE  construction  uses  two 
new  ideas,  both  of  which  have  found  uses  in  later  designs  of  homomorphic  encryption  and  elsewhere. 

Relinearization  (or  Dimension  Reduction).  We  first  observe  that  a  tensor  product  of  two  ciphertexts  is 
an  encryption  of  the  product  of  two  messages,  albeit  under  a  longer  key,  namely  s  (g>  s,  the  tensor  product  of 
the  secret  key  with  itself.  However,  in  doing  so,  the  size  of  the  ciphertext  increases  dramatically,  to  0(n2) 
from  0(n ).  Clearly,  this  is  not  sustainable  and  thus,  we  come  up  with  a  way  to  reduce  the  dimension  back 
to  n. 

Roughly  speaking,  this  is  done  by  publishing  several  “hints”  in  the  public  key  which  consist  of  encryp¬ 
tions  of  the  quadratic  monomials  in  the  coefficients  of  s  using  a  different  secret  key  s'.  Of  course,  the  key 
idea  is  in  doing  so  without  compromising  the  security  of  the  overall  system  at  all. 

Modulus  Switching  (or  Modulus  Reduction).  Relinearization  by  itself  only  gives  us  a  somewhat  homo¬ 
morphic  encryption  scheme  capable  of  evaluating  0{ log  n)  depth  circuits  since  the  ciphertext  error  squares 
every  level  of  homomorphic  multiplication.  With  d  levels,  the  noise  becomes  Bq  where  Bo  is  the  magnitude 
of  the  initial  ciphertext  noise.  Now, 

B$  <  qj 4  <  2n‘  (4.1) 

for  some  constant  0  <  e  <  1.  Here,  the  first  inequality  is  to  ensure  correctness  of  decryption,  and  the  second 
to  ensure  security.  This  gives  us  d  «  e  log  n.  Unfortunately,  this  turns  out  to  be  not  quite  enough  to  apply 
bootstrapping  [Gen09]  and  obtain  an  FHE  scheme. 

The  second  major  idea  in  [BV 1  la]  is  a  way  to  slow  down  the  noise  growth  during  homomoiphic  mul¬ 
tiplication.  The  basic  idea  is  simple  and  two-fold.  First,  the  modulus  does  not  really  matter  in  LWE  as 
one  can  always  scale  the  LWE  samples  down  to  the  “torus”  [0, 1).  This  observation  has  been  made  in  sev¬ 
eral  prior  works  including  [Reg05].  Second,  multiplying  two  error  terms  that  live  in  [0, 1)  only  decreases 
their  magnitude,  as  opposed  to  increasing !  This  surprisingly  simple  observation  gives  us  a  noise  growth  of 
Bo  — y  Bq  ■  poly(n)  as  opposed  to  Bq  — >  Bq. 

Equation  4.1  now  becomes 

B0  •  n°(d)  <  q/ 4  <  2”'  (4.2) 

'The  reader  might  notice  that  when  adding  two  ciphertexts,  the  error  terms  increase  in  magnitude.  Indeed,  this  is  an  issue 
which  limits  the  total  number  of  homomorphic  operations  we  can  perform  on  the  ciphertexts.  However,  setting  q  to  be  slightly 
super-polynomial  and  the  magnitude  of  errors  from  \  to  be  polynomial,  allows  us  to  do  a  superpolynomial  number  of  additions. 
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resulting  in  d  «  ne /  log  to. 

Overall,  the  result  is  the  first  leveled  FHE  scheme  that  assumes  only  the  hardness  of  learning  with  errors 
(LWE).  With  bootstrapping,  and  using  the  fact  that  the  decryption  circuit  can  be  written  as  a  Boolean  circuit 
of  depth  d  =  O(logn),  the  resulting  scheme  relies  on  the  hardness  of  lwen)9)X  where  q  =  n°  ■ log  and  \  is 
any  distribution  with  poly(n)-bounded  support. 

The  ideas  underlying  the  [BVlla,  BGV12]  scheme  can  be  ported  just  as  well  to  other  settings,  such  as 
ring  LWE,  NTRU  and  approximate  GCD  resulting  in  several  variants.  (Indeed,  the  ring  LWE  variant  was 
described  explicitly  in  [BGV12]).  In  practice,  one  should  use  either  the  ring  LWE  or  the  NTRU  variant  for 
reasons  of  efficiency. 

4.1.2  Third  Generation  FHE:  Best  Possible  Assumptions 

All  FHE  schemes  prior  to  the  third  generation  relied  on  hardness  assumptions  that  are  quantitatively  worse 
than  those  needed  for  public  key  encryption.  In  particular-,  the  scheme  of  [BGV 12]  described  above  relies 
on  the  hardness  of  approximating  lattice  problems  to  within  n°(Iogn)  factor. 

Building  on  an  FHE  scheme  of  Gentry,  Sahai  and  Waters  [GSW13],  Brakerski  and  PI  Vaikuntanathan 
show  that  (leveled)  FHE  can  be  based  on  the  hardness  of  0{n2+e) -approximating  lattice  problems  such  as 
GapSVP  (under  classical  reductions).  This  matches  the  best  known  hardness  for  regular  (non-homomorphic) 
lattice  based  public -key  encryption  up  to  the  e  factor.  As  usual,  a  circular  security  assumption  can  be  used 
to  achieve  a  non-leveled  (pure)  FHE  scheme. 

Our  approach  consists  of  three  main  ideas:  Noise-bounded  sequential  evaluation  of  high  fan-in  oper¬ 
ations;  Circuit  sequentialization  using  Barrington’s  Theorem;  and  finally,  successive  dimension-modulus 
reduction.  In  particular,  the  first  and  the  most  important  of  these  ideas  results  in  a  dramatic  slow-down  in 
noise  growth  during  homomorphic  multiplication.  Whereas  before,  multiplying  N  ciphertexts  with  a  noise 
magnitude  of  B  increased  the  error  to  0(BlogN)  (using  a  binary  multiplication  tree),  it  turns  out  that  in  our 
scheme,  the  error  only  increases  to  O(BNn)  where  n  is  the  security  parameter.  Surprisingly,  this  is  nearly 
as  small  as  the  error  increase  during  homomorphic  addition! 

Our  scheme  has  since  been  improved  on,  first  to  remove  the  use  of  Barrington’s  theorem  and  the  associ¬ 
ated  inefficiency  [API 4]  and  secondly  to  implement  bootstrapping  in  under  a  second  [DM15]. 

4.1.3  Multi-key  FHE  and  On-the-Fly  Multiparty  Computation 

Homomorphic  encryption  enables  an  untrusted  server  to  compute  on  ciphertexts  encrypted  under  a  single 
user’s  key.  Often  in  practice,  we  want  to  compute  on  data  belonging  to  multiple  users  who  encrypt  it  under 
their  own  keys.  Indeed,  the  most  valuable  computations  are  of  this  nature  -  hospitals  who  want  to  collaborate 
on  their  private  datasets  on  rare  diseases,  financial  institutions  that  want  to  collaborate  and  discover  global 
trends  in  the  market,  and  so  on. 

We  define  a  new  type  of  encryption  scheme  that  we  call  multikey  FHE,  which  is  capable  of  operating 
on  inputs  encrypted  under  multiple,  unrelated  keys.  A  ciphertext  resulting  from  a  multikey  evaluation  can 
be  jointly  decrypted  using  the  secret  keys  of  all  the  users  involved  in  the  computation.  We  construct  a 
multikey  FHE  scheme  based  on  NTRU  [HPS98],  a  very  efficient  public-key  encryption  scheme  proposed 
in  the  1990s.  It  was  previously  not  known  how  to  make  NTRU  fully  homomorphic  even  for  a  single  party. 
Indeed,  our  fully  homomorphic  system  based  on  NTRU  is  the  leading  candidate  for  a  practical  FHE  scheme 
as  has  been  demonstrated  in  several  followup  works  [BLLN13,  DDS14,  DOSS  15],  some  of  which  are  part 
of  the  PROCEED  program  [RC14]. 
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We  also  define  a  new  notion  of  secure  multiparty  computation  aided  by  a  computationally-powerful,  but 
untrusted  ’’cloud”  server.  In  this  notion  that  we  call  on-the-fly  multiparty  computation  (MPC),  the  cloud  can 
non-interactively  perform  arbitrary,  dynamically  chosen  computations  on  data  belonging  to  arbitrary  sets 
of  users  chosen  on-the-fly.  All  user’s  input  data  and  intermediate  results  are  protected  from  snooping  by 
the  cloud  as  well  as  other  users.  This  extends  the  standard  notion  of  fully  homomorphic  encryption  (FHE), 
where  users  can  only  enlist  the  cloud’s  help  in  evaluating  functions  on  their-  own  encrypted  data. 

In  on-the-fly  MPC,  each  user  is  involved  only  when  initially  uploading  his  (encrypted)  data  to  the  cloud, 
and  in  a  final  output  decryption  phase  when  outputs  are  revealed;  the  complexity  of  both  is  independent  of 
the  function  being  computed  and  the  total  number  of  users  in  the  system.  When  users  upload  their-  data,  they 
need  not  decide  in  advance  which  function  will  be  computed,  nor  who  they  will  compute  with;  they  need 
only  retroactively  approve  the  eventually-chosen  functions  and  on  whose  data  the  functions  were  evaluated. 

This  notion  is  qualitatively  the  best  possible  in  minimizing  interaction,  since  the  users’  interaction  in  the 
decryption  stage  is  inevitable:  we  show  that  removing  it  would  imply  generic  (virtual  black-box)  program 
obfuscation  and  is  thus  impossible. 

While  our  construction  was  based  on  the  NTRU  assumption,  there  has  since  been  a  novel  construction 
of  multi-key  FHE  from  LWE  and  Ring  LWE  assumptions  [CM15,  MW15]. 

4.1.4  Practical  HE:  Machine  Learning  on  Encrypted  Data 

Machine  learning  classification  is  used  in  numerous  settings  nowadays,  such  as  medical  or  genomics  predic¬ 
tions,  spam  detection,  face  recognition,  and  financial  predictions.  Due  to  privacy  concerns  in  some  of  these 
applications,  it  is  important  that  both  the  data  and  the  classifier  remain  confidential. 

In  work  by  PI  Goldwasser  and  collaborators  [BPTG15],  we  construct  three  major  classification  protocols 
that  satisfy  privacy  constraints:  hyperplane  decision,  Naive  Bayes,  and  decision  trees.  These  protocols  may 
also  be  combined  with  AdaBoost.  They  rely  on  a  new  library  of  building  blocks  for  constructing  classifiers 
securely.  We  demonstrate  the  versatility  of  this  library  by  constructing  a  face  detection  classifier.  In  addition, 
our  protocols  are  efficient,  taking  milliseconds  to  a  few  seconds  to  perform  a  classification  when  running  on 
real  medical  datasets. 

We  remark  that  supervised  learning  algorithms  consist  of  two  phases:  (i)  the  training  phase  during  which 
the  algorithm  learns  a  model  w  from  a  data  set  of  labeled  examples,  and  (ii)  the  classification  phase  that  runs 
a  classifier  C  over  a  previously  unseen  feature  vector  x,  using  the  model  w  to  output  a  prediction  C(x,  w). 
In  applications  that  handle  sensitive  data,  it  is  important  that  the  feature  vector  x  and  the  model  w  remain 
secret  to  one  or  some  of  the  parties  involved.  Our  protocols  pertain  to  the  second  classification  phase. 

4.2  Results:  Functional  Encryption 

Homomorphic  encryption  opens  the  door  to  many  exciting  applications,  but  also  raises  questions  as  to  its 
ultimate  usefulness.  Perhaps  the  biggest  such  question  is: 

Who  can  decrypt  the  result  of  computations  on  encrypted  data? 

Although  computation  on  encrypted  data  using  FHE  can  be  performed  by  anyone,  only  the  holder  of  the 
secret  key  can  decrypt  the  result  of  a  computation;  the  secret  key,  however,  allows  decryption  of  the  entire 
data  and  not  just  the  result.  This  rules  out  a  large  class  of  applications  in  which  the  party  computing  on 
the  encrypted  data  needs  to  determine  the  computation  result  on  its  own,  but  should  not  know  anything  else 
about  the  input,  and  should  not  assume  that  the  secret  key  owner  is  online  to  help  him  decrypt.  This  leads  to 
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the  question:  can  we  selectively  reveal  chosen  functions  of  the  data  while  keeping  all  other  information  hid¬ 
den?  This  question  truly  exemplifies  the  essence  of  the  paradigm  of  computing  on  encrypted  data,  namely, 
the  delicate  balance  between  keeping  data  private  on  the  one  hand,  and  revealing  carefully  chosen  functions 
of  it  on  the  other  hand. 

A  promising  approach  to  this  problem  is  functional  encryption  [SW05,  GPSW06,  KSW13,  BSW12] 
where  the  holder  of  the  secret  key  can  generate  and  provide  others  with  keys  for  functions,  for  example, 
skf  for  a  function  /.  Anyone  with  access  to  the  key  skf  and  an  encryption  of  x  can  obtain  f(x),  but 
nothing  more  about  x.  In  fact,  we  will  require  that  an  adversary  who  obtains  polynomially  many  secret  keys 
skf] .  skf2, . . . ,  skfn  and  an  encryption  of  x  can  learn  f\  (x). . . . ,  fn{x)  but  nothing  else.  This  is  called  many 
key  security  or  collusion  resistance,  whereas  the  former  requirement  is  called  single  key  security. 

There  are  many  variants  we  will  be  interested  in  which  differ  in  the  functionality  and  security  properties. 

•  Attribute-based  Encryption:  In  an  attribute -based  encryption  (ABE)  scheme  [SW05,  GPSW06], 
one  encrypts  a  payload  data  M  relative  to  a  set  of  attributes  x.  Given  the  secret  key  for  a  Boolean 
function  (also  called  a  predicate)  /,  one  can  decrypt  and  obtain  the  payload  M  if  and  only  if  f(x)  =  1. 
Attribute-based  encryption  does  not  require  that  the  encryption  hides  the  attributes,  only  that  it  hides 
the  payload. 

•  Predicate  Encryption:  A  predicate  encryption  (PE)  scheme  has  the  exact  same  interface  as  ABE, 
except  that  it  requires  some  form  of  hiding  of  the  attributes.  In  particular,  in  the  presence  of  keys  that 
do  not  decrypt,  namely  keys  for  functions  /  such  that  f(x)  =  0,  we  require  that  the  attributes  x  be 
completely  hidden.  However,  if  the  adversary  obtains  the  key  for  a  function  /  such  that  f(x)  =  1,  we 
require  no  hiding.  This  is  called  weak  attribute  hiding.  Thus,  predicate  encryption  is  just  another  way 
of  saying  “ABE  with  weak  attribute  hiding”. 

•  Functional  Encryption:  In  a  functional  encryption  scheme,  one  encrypts  an  input  x  and  given  a 
functional  key  skf,  one  can  compute  f(x)  and  only  / (:/;).  By  a  simple  transformation,  this  turns  out 
to  be  equivalent  to  an  ABE  with  strong  attribute  hiding.  Namely,  where  the  encryptions  of  (.xq,  Mq) 
and  (xi,  Mi)  are  computationally  indistinguishable  given  many  functional  keys  skf  where  either:  (a) 
f(x o)  =  f(x i)  =  0;  or  (b)  f(x o)  =  f(x i)  =  1  and  Mq  =  M\.  Thus,  functional  encryption  is  just 
another  way  of  saying  “ABE  with  strong  attribute  hiding”. 

A  major  contribution  of  our  project  was  the  systematic  study  of  various  types  of  functional  encryption 
schemes.  Our  results  made  dramatic  advances  in  the  state  of  the  art  for  functional  encryption,  constructing 
the  first  ABE  schemes  for  general  circuits  [GVW13]  and  the  first  single-key  succinct  functional  encryption 
for  general  circuits  [GKP+13].  We  describe  our  results  in  detail  below.  Figure  4.2  contains  a  summary  of 
the  most  significant  results  to  date  in  the  field  of  functional  encryption. 


4.2.1  Attribute-based  Encryption 

In  an  attribute-based  encryption  (ABE)  scheme,  a  ciphertext  is  associated  with  an  L-bit  public  index  IND 
and  a  message  m,  and  a  secret  key  is  associated  with  a  Boolean  predicate  P.  The  secret  key  allows  to  decrypt 
the  ciphertext  and  learn  m  iff  P(IND)=1.  Moreover,  the  scheme  should  be  secure  against  collusions  of  users, 
namely,  given  secret  keys  for  polynomially  many  predicates,  an  adversary  learns  nothing  about  the  message 
if  none  of  the  secret  keys  can  individually  decrypt  the  ciphertext. 
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Scheme 

Class  of  Functions  Supported 

Assumption 

Identity-based  Encryption  [BF01] 

Point  Functions 

Bilinear  DDH 

Identity-based  Encryption  [CocOl] 

Point  Functions 

Quadratic  Residuosity 

Fuzzy  IBE  [SW05] 

Hamming  distance 

Bilinear  DDH 

Formula  ABE  [GPSW06] 

Boolean  formulas 

Bilinear  DDH 

Circuit  ABE  [GVW13] 

Circuits* 

(Sub-exponential)  LWE 

(Compact)  Circuit  ABE  [  BCG  !  14] 

Circuits* 

(Sub-exponential)  LWE 

Inner  product  PE  [AFV 1 1] 

Inner  product  zero-testing 

LWE 

Circuit  PE  [GVW15] 

Circuits* 

(Sub-exponential)  LWE 

Inner  product  FE  [KSW13,  LOS +10] 

Inner  product  zero-testing 

Bilinear^ 

Single -key  FE  [SS10] 

Circuits 

Any  public-key  encryption 

Bounded-key  FE  [GVW12] 

Circuits 

Any  public-key  encryption 

Bounded-key  Succinct  FE  [GKP+13] 

Circuits* 

(Sub-exponential)  LWE 

Many-key  FE  [GGH+13] 

Circuits 

Existence  of  10  Obfuscation 

Multi-input  FE  [GGG+14] 

Circuits 

Existence  of  10  Obfuscation 

Many-key  FE  [GGHZ14] 

Circuits 

Multi-linear  Elimination 

Figure  2:  Attribute-based,  Predicate  and  Functional  Encryption  Schemes.  The  first  six  rows  are  ABE,  the 
next  two  PE  and  the  rest  are  FE  schemes.  The  rows  in  gray  represent  contributions  from  our  team. 


We  present  attribute-based  encryption  schemes  for  circuits  of  any  arbitrary  polynomial  size,  where  the 
public  parameters  and  the  ciphertext  grow  linearly  with  the  depth  of  the  circuit.  Our  construction  is  se¬ 
cure  under  the  standard  learning  with  errors  (LWE)  assumption.  Previous  constructions  of  attribute -based 
encryption  were  for  Boolean  formulas,  captured  by  the  complexity  class  NCI. 

In  the  course  of  our  construction,  we  present  a  new  framework  for  constructing  ABE  schemes.  As  a  by¬ 
product  of  our  framework,  we  obtain  ABE  schemes  for  polynomial-size  branching  programs,  corresponding 
to  the  complexity  class  LOGSPACE,  under  quantitatively  better  assumptions. 

4.2.2  Bounded- Key  Functional  Encryption 

We  construct  a  functional  encryption  scheme  secure  against  an  a  priori  bounded  polynomial  number  of 
collusions  for  the  class  of  all  polynomial-size  circuits.  Our  constructions  require  only  semantically  secure 
public-key  encryption  schemes  and  pseudo-random  generators  computable  by  small-depth  circuits  (known 
to  be  implied  by  most  concrete  intractability  assumptions).  For  certain  special  cases  such  as  predicate  en¬ 
cryption  schemes  with  public  index,  the  construction  requires  only  semantically  secure  encryption  schemes, 
which  is  clearly  the  minimal  necessary  assumption. 

Our  constructions  rely  heavily  on  techniques  from  secure  multiparty  computation  and  randomized  en¬ 
codings.  All  our  constructions  are  secure  under  a  strong,  adaptive  simulation-based  definition  of  functional 
encryption. 

4.2.3  Succinct  Functional  Encryption  and  Reusable  Garbled  Circuits 

Functional  Encryption  is  a  new  paradigm  for  public-key  encryption  that  enables  fine-grained  control  of 
access  to  encrypted  data.  It  provides,  for  instance,  the  ability  to  release  secret  keys  associated  with  a  keyword 
that  can  decrypt  only  those  documents  that  contain  the  keyword.  More  generally,  functional  encryption 
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allows  the  owner  of  a  “master”  secret  key  to  release  restricted  secret  keys  that  reveal  a  specific  function  of 
encrypted  data.  This  stands  in  stark  contrast  to  traditional  encryption,  where  access  to  the  encrypted  data  is 
all  or  nothing. 

Goldwasser,  Vaikuntanathan  and  their  co-authors  in  [GKP+13]  proposed  new  functional  encryption 
schemes  which  can  evaluate  functions  and  more  generally  run  algorithms,  over  encrypted  data  in  time  which 
grows  proportionally  with  the  time  it  takes  to  evaluate  the  algorithms  over  the  unencrypted  data.  This  is  in 
contrast  with  previous  functional  encryption  schemes  where  the  cost  of  running  algorithms  over  encrypted 
data  was  proportional  to  the  worst-case  running  time  (over  all  possible  data). 

A  circuit  garbling  scheme,  which  has  been  one  of  the  most  useful  primitives  in  modern  cryptography, 
is  a  construction  originally  suggested  by  Yao  in  the  80s  in  the  context  of  secure  two-party  computation 
[Yao86].  This  construction  relies  on  the  existence  of  a  one-way  function  to  encode  an  arbitrary  circuit  C 
(“garbling”  the  circuit)  and  then  encode  any  input  x  to  the  circuit  (where  the  size  of  the  encoding  is  short, 
namely,  it  does  not  grow  with  the  size  of  the  circuit  C) ;  a  party  given  the  garbling  of  C  and  the  encoding  of  x 
can  run  the  garbled  circuit  on  the  encoded  x  and  obtain  C(x).  The  most  basic  properties  of  garbled  circuits 
are  circuit  and  input  privacy:  an  adversary  learns  nothing  about  the  circuit  C  or  the  input  x  other  than  the 
result  C(x).  Over  the  years,  garbled  circuits  and  variants  thereof  have  found  many  applications.  However, 
a  basic  limitation  of  the  original  construction  remains:  it  offers  only  one-time  usage.  Specifically,  providing 
an  encoding  of  more  than  one  input  compromises  the  secrecy  of  the  circuit.  Thus,  evaluating  the  circuit  C 
on  any  new  input  requires  an  entirely  new  garbling  of  the  circuit. 

The  problem  of  reusing  garbled  circuits  has  been  open  for  30  years.  Using  our  newly  constructed 
succinct  functional  encryption  scheme  we  are  now  able  to  build  reusable  garbled  circuits  that  achieve  circuit 
and  input  privacy:  a  garbled  circuit  for  any  computation  of  depth  d  (where  the  parameters  of  the  scheme 
depend  on  d),  which  can  be  run  on  any  polynomial  number  of  inputs  without  compromising  the  privacy  of 
the  circuit  or  the  input. 

4.2.4  Multi-Input  Functional  Encryption 

We  introduce  the  problem  of  Multi-Input  Functional  Encryption,  where  a  secret  key  SKf  can  correspond  to 
an  n-ary  function  f  that  takes  multiple  ciphertexts  as  input.  Multi-input  functional  encryption  is  a  general  tool 
for  computing  on  encrypting  data  which  allows  for  mining  aggregate  information  from  several  different  data 
sources  (rather  than  just  a  single  source  as  in  single  input  functional  encryption).  We  show  wide  applications 
of  this  primitive  to  running  SQL  queries  over  encrypted  database,  non-interactive  differentially  private  data 
release,  delegation  of  computation,  etc. 

We  formulate  both  indistinguishability-based  and  simulation-based  definitions  of  security  for  this  notion, 
and  show  close  connections  with  indistinguishability  and  virtual  black-box  definitions  of  obfuscation.  As¬ 
suming  indistinguishability  obfuscation  for  circuits,  we  present  constructions  achieving  indistinguishability 
security  for  a  large  class  of  settings.  We  show  how  to  modify  this  construction  to  achieve  simulation-based 
security  as  well,  in  those  settings  where  simulation  security  is  possible.  Assuming  differing-inputs  obfusca¬ 
tion  [Barak  et  ah,  FOCS’Ol],  we  also  provide  a  construction  with  similar  security  guarantees  as  above,  but 
where  the  keys  and  ciphertexts  are  compact. 

4.3  Results:  Large-Scale  Multiparty  Computation 

It  turns  out  that  methods  for  computing  on  “encrypted”  data,  broadly  defined,  were  known  even  before  the 
current  buzz  on  fully  homomorphic  encryption.  In  particular,  the  notion  of  secure  multi-party  computation 
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(MPC)  has  been  thoroughly  studied  over  the  past  decades.  Secure  multiparty  computation  protocols  allow 
us  n  >  2  parties,  each  holding  its  own  input,  to  collaborate  and  compute  a  joint  function  of  their  inputs, 
while  ensuring  that  each  party  reveals  nothing  else  to  the  others. 

The  vast  majority  of  works  assume  a  full  communication  pattern:  every  party  exchanges  messages  with 
all  the  network  participants  over  a  complete  network  of  point-to-point  channels.  This  can  be  problematic  in 
modem  large  scale  networks,  where  the  number  of  parties  can  be  of  the  order  of  millions,  as  for  example 
when  computing  on  large  distributed  data. 

Motivated  by  the  above  observation,  PI  Goldwasser,  together  with  graduate  student  Elette  Boyle  and 
postdoc  Stefano  Tessaro  [BGT13]  put  forward  the  notion  of  communication  locality,  namely,  the  total  num¬ 
ber  of  point-to-point  channels  that  each  party  uses  in  the  protocol,  as  a  quality  metric  of  MPC  protocols. 
They  proved  that  assuming  a  public-key  infrastructure  (PKI)  and  a  common  reference  string  (CRS),  an  MPC 
protocol  can  be  constructed  for  computing  any  n-party  function,  with  the  following  properties: 

•  The  communication  locality  of  the  protocol  is  0(logcn),  for  an  appropriate  constant  c.  that  is  each 
party  need  only  talk  to  0( logc  n)  other  parties; 

•  The  round  complexity  0(logc  n),  for  an  appropriate  constant  c; 

•  The  protocol  tolerates  a  static  (i.e.,  non-adaptive)  adversary  corrupting  up  to  t  <  (1/3  —  e)n  parties 
for  any  given  constant  0  <  e  <  1/3. 

Continuing  along  this  line  of  thought,  further  work  of  PI  Goldwasser  together  with  collaborators  ad¬ 
dressed  two  questions  left  open  by  this  result:  (a)  Can  we  achieve  low  communication  locality  and  round 
complexity  while  tolerating  adaptive  adversaries?  and  (b)  Can  we  achieve  low  communication  locality  with 
optimal  resiliency  t  <  n/2? 

In  work  with  collaborators  [CCG+15],  PI  Goldwasser  answered  both  questions  affirmatively.  First,  we 
consider  the  model  from  [BGT13],  where  we  replace  the  CRS  with  a  symmetric-key  infrastructure  (SKI).  In 
this  model  we  give  a  protocol  with  communication  locality  and  round  complexity  polylog(n)  (as  in  the  work 
of  [BGT13])  which  tolerates  up  to  t  <  n/2  adaptive  corruptions,  under  a  standard  intractability  assumption 
for  adaptively  secure  protocols,  namely,  the  existence  of  trapdoor  permutations  whose  domain  has  invertible 
sampling.  This  is  done  by  using  the  SKI  to  derive  a  sequence  of  random  hidden  communication  graphs 
among  players.  A  central  new  technique  then  shows  how  to  use  these  graphs  to  emulate  a  complete  network 
in  polylog(n)  rounds  while  preserving  the  polylog(n)  locality.  Second,  we  show  how  we  can  even  remove 
the  SKI  setup  assumption  at  the  cost,  however,  of  increasing  the  communication  locality  (but  not  the  round 
complexity)  by  a  factor  of  y/n. 

4.4  Results:  Leakage-Resilient  Computation 

The  absolute  privacy  of  the  secret  keys  associated  with  cryptographic  algorithms  has  been  the  corner-stone 
of  modern  cryptography.  Modem  cryptographic  algorithms  are  designed  under  the  assumption  that  keys 
are  perfectly  secret,  and  computations  done  within  your  personal  computer  seem  like  a  black-box  to  the 
outside.  Still,  in  practice,  keys  do  get  compromised  at  times  and  computations  are  not  opaque  for  a  variety 
or  reasons.  A  particularly  disturbing  loss  of  secrecy  is  as  a  result  of  side  channel  attacks  (see  [Koc96, 
KJJ99,  QS01,  AARR02,  QK02,  BE03,  Rel,  ECR]  for  many  examples).  These  attacks  exploit  the  fact  that 
every  cryptographic  algorithm  is  ultimately  implemented  on  a  physical  device  and  such  implementations 
enable  “observations”  which  can  be  made  and  measured  on  secret  data  and  secret  keys.  Indeed,  side  channel 
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observations  can  lead  to  information  leakage  about  secret  keys,  which  in  turn  can  and  have  lead  to  complete 
breaks  of  systems  which  have  been  proved  mathematically  secure,  without  violating  any  of  the  underlying 
mathematical  principles  or  assumptions.  Traditionally,  such  attacks  have  been  followed  by  ad-hoc  “fixes” 
which  make  specific  implementation  invulnerable  to  particular  attacks,  only  to  potentially  be  broken  again 
by  new  examples  of  side -channel  attacks. 

In  recent  years,  starting  with  the  works  of  Canetti,  Dodis,  Halevi,  Kushilevitz  and  Sahai  [CDH+00], 
Ishai,  Sahai  and  Wagner  [ISW03]  and  Micali  and  Reyzin  [MR04],  a  new  goal  has  been  set  within  the 
cryptography  community:  to  build  general  theories  of  physical  security  against  large  classes  of  families  of 
side  channel  attacks.  A  large  body  of  work  has  accumulated  by  now  [CDH+00,  DSS01,  ISW03,  MR04, 
DP08,  AGV09,  ADW09,  NS09,  DKL09,  Pie09,  PSP+08,  GKR08,  DP08]  in  which  different  classes  of  side 
channel  attacks  have  been  defined  and  different  cryptographic  primitives  have  been  designed  to  provably 
withstand  these  attacks. 

Any  cryptographic  protocol,  including  decryption  and  signature  algorithms,  multi-party  computation 
and  zero-knowledge,  is  potentially  vulnerable  to  leakage,  and  measures  must  be  taken  to  protect  them.  Our 
goal  is  to  design  general  puipose  tools  that  accomplish  this  objective. 

4.4.1  Goldwasser-Rothblum  Leakage-Resilience  Compiler 

Goldwasser  and  Rothblum  [GR07]  address  the  following  problem:  how  to  execute  any  algorithm  P,  for 
an  unbounded  number  of  executions,  in  the  presence  of  an  adversary  who  observes  partial  information  on 
the  internal  state  of  the  computation  during  executions.  The  security  guarantee  is  that  the  adversary  learns 
nothing,  beyond  P’s  input/output  behavior.  This  general  problem  is  important  for  running  cryptographic 
algorithms  in  the  presence  of  side-channel  attacks,  as  well  as  for  running  non-cryptographic  algorithms, 
such  as  a  proprietary  search  algorithm  or  a  game,  on  a  cloud  server  where  parts  of  the  execution’s  internals 
might  be  observed. 

Their  main  result  is  a  compiler,  which  takes  as  input  an  algorithm  P  and  a  security  parameter  k,  and 
produces  a  functionally  equivalent  algorithm  P'  such  that  the  running  time  of  P'  is  a  factor  of  poly(n) 
slower  than  P  and  is  composed  of  a  series  of  calls  to  poly(n)  time  computable  sub-algorithms.  During  the 
executions  of  P',  an  adversary  algorithm  A  which  can  choose  the  inputs  of  P'  and  can  learn  the  results  of 
adaptively  chosen  leakage  functions,  each  of  bounded  output  size  Q(n),  on  the  sub-algorithms  of  P'  and  the 
randomness  they  use. 

They  show  that  for  any  computationally  unbounded  A  observing  the  results  of  computationally  un¬ 
bounded  leakage  functions,  will  learn  no  more  from  its  observations  than  it  could  given  black-box  access 
only  to  the  input-output  behavior  of  P.  This  result  is  unconditional  and  does  not  rely  on  any  secure  hardware 
components. 

4.4.2  Leakage-Resilient  Multiparty  Computation 

The  problem  of  leakage  on  secret  inputs  is  applicable  to  multi-party  secure  function  evaluation  as  well  as 
the  basic  cryptographic  primitives.  For  some  multi-party  functions,  such  as  voting,  such  leakage  can  be 
detrimental. 

In  work  of  Goldwasser  et.  al.  [BGJK12],  multiparty  computation  (MPC)  protocols  are  constructed  that 
are  secure  even  if  a  malicious  adversary  which,  in  addition  to  corrupting  constant  1  >  c  >  0  fraction  of 
parties,  can  leak  information  about  the  secret  state  of  each  honest,  non-corrupt  party.  This  leakage  can  be 
continuous  for  an  unbounded  number  of  executions  of  the  MPC  protocol,  computing  different  functions  on 
the  same  or  different  set  of  inputs.  We  assumed  a  (necessary)  “leak-free”  preprocessing  stage. 
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We  emphasize  that  leakage  resilience  is  achieved  without  weakening  the  security  guarantee  of  classical 
MPC.  Namely,  an  adversary  who  is  given  leakage  on  honest  parties’  states,  is  guaranteed  to  learn  noth¬ 
ing  beyond  the  input  and  output  values  of  corrupted  parties.  Our  result  relies  on  standard  cryptographic 
assumptions,  and  our  security  parameter  is  polynomially  related  to  the  number  of  parties. 

4.5  Results:  Functional  Signatures  and  Pseudorandom  Functions 

In  the  spirit  of  our  work  on  functional  encryption,  PI  Goldwasser  together  with  graduate  students  Boyle 
and  Ivan  [BGI14a]  introduced  two  new  cryptographic  primitives  named  functional  signature  and  functional 
pseudorandom  functions  (PRFs)  and  showed  how  to  construct  them  under  some  cryptographic  hardness 
assumptions.  In  a  functional  signature  scheme,  in  addition  to  a  master  signing  key,  there  are  also  auxiliary 
signing  keys  each  defined  per  different  function  /,  which  allow  one  to  sign  message  M  if  and  only  if 
f(rn)  =  1.  In  a  functional  PRF,  there  are  auxiliary  secret  keys  each  for  a  function  /,  which  allow  one  to 
evaluate  PRF  on  any  y  if  f(y)  =  1. 

A  natural  application  of  functional  signature  schemes  is  the  delegation  of  the  signing  process:  For  a 
policy  P,  consider  a  function  f  such  that  f(m)  =  1  if  P(m )  =  1  and  f(m)  =  NIL  otherwise;  then  a 
signing  key  for  f  allows  one  to  sign  message  m  if  and  only  if  P(m)  =  1.  Similarly,  with  functional  PRFs, 
one  can  construct  PRFs  with  selective  access,  in  which  there  are  keys  for  a  policy  P  that  allow  one  to  evaluate 
PRF  on  any  x  if  P(x )  =  1. 

Another  application  of  functional  signatures  is  to  certify  that  only  allowable  computations  were  per¬ 
formed  on  data.  For  example,  imagine  the  setting  of  a  digital  camera  that  produces  signed  photos  (i.e 
the  original  photos  produced  by  the  camera  can  be  certified).  In  this  case,  one  may  want  to  allow  photo¬ 
processing  software  to  perform  minor  touch-ups  of  the  photos,  such  as  changing  the  color  scale  or  removing 
red-eyes,  but  not  allow  more  significant  changes  such  as  merging  two  photos  or  cropping  a  picture.  But, 
how  can  an  original  photo  which  is  slightly  touched-up  be  distinguished  from  one  which  is  the  result  of  a 
major  change?  Functional  signatures  can  naturally  address  this  problem  by  providing  the  photo  processing 
so  ft  ware  with  keys  which  enable  it  to  sign  only  the  allowable  modifications  of  an  original  photograph.  Gen¬ 
eralizing,  we  think  of  a  client  and  a  server  (e.g.  photo-processing  software),  where  the  client  provides  the 
server  with  data  (e.g.  signed  original  photos,  text  documents,  medical  data)  which  he  wants  to  be  processed 
in  a  restricted  fashion.  A  functional  signature  of  the  processed  data  provides  proof  of  allowable  processing. 

4.5.1  Functional  Signatures  and  Pseudorandom  Functions 

Pseudorandom  functions,  introduced  by  Goldreich,  Goldwasser,  and  Micali  in  1986  [GGM86],  are  a  family 
of  indexed  functions  F  =  { Fs  }  such  that:  (1)  given  the  index  s,  Fs  can  be  efficiently  evaluated  on  all  inputs 
(2)  no  probabilistic  polynomial-time  algorithm  without  s  can  distinguish  evaluations  Fs(xi)  for  inputs  xt 
chosen  adversarially  from  random  values.  Pseudorandom  functions  are  useful  for  numerous  symmetric-key 
cryptographic  applications,  including  generating  passwords,  identify-friend-or-foe  systems,  and  symmetric- 
key  encryption  secure  against  chosen  ciphertext  attacks.  In  the  aforementioned  work,  Goldwasser  et  al 
[BGI14b]  extend  pseudorandom  functions  to  a  primitive  which  they  call  functional  pseudorandom  functions 
(F-PRF).  The  idea  is  that  in  addition  to  a  master  secret  key  (that  can  be  used  to  evaluate  the  pseudorandom 
function  Fs  on  any  point  in  the  domain),  there  are  additional  secret  keys  skf  per  function  f,  which  allow  one 
to  evaluate  F s  on  any  y  for  which  there  exists  x  such  that  f(x)  =  y  (i.e  y  6  Range(f)).  An  immediate 
application  of  such  a  construct  is  to  specify  succinctly  the  randomness  to  be  used  by  parties  in  a  randomized 
distributed  protocol  with  potentially  faulty  players,  so  as  to  force  honest  behavior. 
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The  notion  of  functional  pseudorandom  functions  has  many  variations.  One  natural  variant  that  im¬ 
mediately  follows  is  pseudorandom  functions  with  selective  access:  start  with  a  pseudorandom  function  as 
defined  in  [GGM86],  and  add  the  ability  to  generate  secondary  keys  skpi  (per  predicate  Pi)  which  enable 
computing  Fs(x)  whenever  Pi(x)  =  1.  This  is  a  special  case  of  F-PRF,  as  we  can  take  the  secret  key  for 
predicate  Pi  to  be  skji  where  fi(x)  =  x  if  P,(x)  =  1  and  NIL  otherwise.  The  special  case  of  punctured 
PRFs,  in  which  secondary  keys  allow  computing  Fs(x)  on  all  inputs  except  one,  is  similarly  implied  and 
has  recently  been  shown  to  have  important  applications  (e.g.,  [SW14]).  (We  note  that  independently  of  our 
work,  a  similar  primitive  was  introduced  by  Bohen  et  al  and  named  constrained  PRF) 

4.5.2  Constrained  PRFs  for  Arbitrary  Circuits  from  LWE 

Boneh  et  al.  (Crypto  13)  and  Banerjee  and  Peikert  (Crypto  14)  constructed  pseudorandom  functions  (PRFs) 
from  the  Learning  with  Errors  (LWE)  assumption  by  embedding  combinatorial  objects,  a  path  and  a  tree 
respectively,  in  instances  of  the  LWE  problem.  In  this  work,  we  show  how  to  generalize  this  approach  to 
embed  circuits,  inspired  by  recent  progress  in  the  study  of  Attribute  Based  Encryption. 

Embedding  a  universal  circuit  for  some  class  of  functions  allows  us  to  produce  constrained  keys  for 
functions  in  this  class,  which  gives  us  the  first  standard-lattice-assumption-based  constrained  PRF  (CPRF) 
for  general  bounded-description  bounded-depth  functions,  for  arbitrary  polynomial  bounds  on  the  descrip¬ 
tion  size  and  the  depth.  (A  constrained  key  w.r.t  a  circuit  C  enables  one  to  evaluate  the  PRF  on  all  x  for 
which  C(x)  =  1,  but  reveals  nothing  on  the  PRF  values  at  other  points.)  We  rely  on  the  LWE  assumption 
and  on  the  one-dimensional  SIS  (Short  Integer  Solution)  assumption,  which  are  both  related  to  the  worst 
case  hardness  of  general  lattice  problems.  Previous  constructions  for  similar  function  classes  relied  on  such 
exotic  assumptions  as  the  existence  of  multilinear  maps  or  secure  program  obfuscation.  The  main  drawback 
of  our  construction  is  that  it  does  not  allow  collusion  (i.e.  to  provide  more  than  a  single  constrained  key  to 
an  adversary).  Similarly  to  the  aforementioned  previous  works,  our  PRF  family  is  also  key  homomorphic. 

Interestingly,  our  constrained  keys  are  very  short.  Their  length  does  not  depend  directly  either  on  the 
size  of  the  constraint  circuit  or  on  the  input  length.  We  are  not  aware  of  any  prior  construction  achieving 
this  property,  even  relying  on  strong  assumptions  such  as  indistinguishability  obfuscation. 

4.5.3  Aggregate  Pseudo- random  Functions  and  Connections  to  Learning  Theory 

In  the  first  part  of  this  work,  we  introduce  a  new  type  of  pseudo-random  function  for  which  “aggregate 
queries”  over  exponential-sized  sets  can  be  efficiently  answered.  An  example  of  an  aggregate  query  may 
be  the  product  of  all  function  values  belonging  to  an  exponential-sized  interval,  or  the  sum  of  all  function 
values  on  points  for  which  a  polynomial  time  predicate  holds.  We  show  how  to  use  algebraic  properties 
of  underlying  classical  pseudo  random  functions,  to  construct  aggregatable  pseudo  random  functions  for  a 
number  of  classes  of  aggregation  queries  under  cryptographic  hardness  assumptions.  On  the  flip  side,  we 
show  that  certain  aggregate  queries  are  impossible  to  support. 

In  the  second  part  of  this  work,  we  show  how  various  extensions  of  pseudo-random  functions  considered 
recently  in  the  cryptographic  literature,  yield  impossibility  results  for  various  extensions  of  machine  learning 
models,  continuing  a  line  of  investigation  originated  by  Valiant  and  Kearns  in  the  1980s  and  1990s.  The 
extended  pseudo-random  functions  we  address  include  constrained  pseudo  random  functions,  aggregatable 
pseudo  random  functions,  and  pseudo  random  functions  secure  under  related-key  attacks. 
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Conclusions  and  Recommendations 


We  conclude  by  addressing  the  question  of  which  FHE  scheme  to  use  in  practice. 

It  appears  that  the  BGV  scheme  [BGV12]  or  one  of  its  adaptations  (following  Brakerski’s  scale-invariant 
technique  [Bral2],  SIMD  techniques  [GHS12a],  using  an  NTRU  variant  [LTV12,  BLLN13])  is  the  method 
of  choice  to  get  the  maximal  efficiency  i  n  p  ractice.  I  ndeed,  t  he  h  omomorphic  e  ncryption  1  ibrary  HE- 
Lib  [HS15]  implements  the  BGV  encryption  scheme  +  the  GHS  SIMD  techniques.  Although  the  third 
generation  of  FHE  schemes  appears  to  be  more  efficient,  they  lack  mechanisms  for  SIMD  evaluation  at  the 
time  of  writing.  This  remains  a  major  open  problem  in  the  field,  with  potentially  dramatic  implications  for 
efficiency. 

Regarding  the  ABE,  functional  encryption  and  other  advanced  schemes,  the  efficiency  of  these  schemes 
has  been  steadily  improving  over  the  years,  and  we  believe  the  current  schemes  specialized  to  particular 
functions  should  be  efficient  enough  in  practice.  Regardless,  we  leave  implementations  of  these  schemes  as 
future  work. 
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Efficient  Fully  Homomorphic  Encryption  from  (Standard)  LWE 


Zvika.  Brakerski* 


Vinod  Vaikuntanathair 


Abstract 

We  present  a  fully  homomorphic  encryption  scheme  that  is  based  solely  on  the  (standard) 
learning  with  errors  (LWE)  assumption.  Applying  known  results  on  LWE,  the  security  of  our 
scheme  is  based  on  the  worst-case  hardness  of  “short  vector  problems”  on  arbitrary  lattices. 

Our  construction  improves  on  previous  works  in  two  aspects: 

1.  We  show  that  “somewhat  homomorphic”  encryption  can  be  based  on  LWE,  using  a  new  re¬ 
linearization  technique.  In  contrast,  all  previous  schemes  relied  on  complexity  assumptions 
related  to  ideals  in  various  rings. 

2.  We  deviate  from  the  “squashing  paradigm”  used  in  all  previous  works.  We  introduce  a 
new  dimension-modulus  reduction  technique,  which  shortens  the  ciphertexts  and  reduces 
the  decryption  complexity  of  our  scheme,  without  introducing  additional  assumptions. 

Our  scheme  has  very  short  ciphertexts  and  we  therefore  use  it  to  construct  an  asymptotically 
efficient  LWE-based  single-server  private  information  retrieval  (PIR)  protocol.  The  communi¬ 
cation  complexity  of  our  protocol  (in  the  public-key  model)  is  k  •  polylog(fc)  +  log  |DB|  bits  per 
single-bit  query  (here,  k  is  a  security  parameter). 
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1  Introduction 


Fully-homomorphic  encryption  is  one  of  the  holy  grails  of  modern  cryptography.  In  a  nutshell,  a 
fully  homomorphic  encryption  scheme  is  an  encryption  scheme  that  allows  evaluation  of  arbitrar¬ 
ily  complex  programs  on  encrypted  data.  The  problem  was  suggested  by  Rivest,  Adleman  and 
Dertouzos  [RAD78]  back  in  1978,  yet  the  first  plausible  candidate  came  thirty  years  later  with 
Gentry’s  breakthrough  work  in  2009  [Gen09b,  GenlO]  (although,  there  has  been  partial  progress  in 
the  meanwhile  [GM82,  Pai99,  BGN05,  IP07] ) . 

Gentry’s  work  showed  for  the  first  time  that  fully  homomorphic  encryption  can  be  based  on  cryp¬ 
tographic  assumptions.  However,  his  solution  involved  new  and  relatively  untested  cryptographic 
assumptions.  Our  work  aims  to  put  fully  homomorphic  encryption  on  standard,  well-studied  cryp¬ 
tographic  assumptions. 

The  main  building  block  in  Gentry’s  construction  (a  so-called  “somewhat”  homomorphic  en¬ 
cryption  scheme)  was  based  on  the  (worst-case,  quantum)  hardness  of  problems  on  ideal  lattices.  1 
Although  lattices  have  become  standard  fare  in  cryptography  and  lattice  problems  have  been  rela¬ 
tively  well-studied,  ideal  lattices  are  a  special  breed  that  we  know  relatively  little  about.  Ideals  are 
a  natural  mathematical  object  to  use  to  build  fully  homomorphic  encryption  in  that  they  natively 
support  both  addition  and  multiplication  (whereas  lattices  are  closed  under  addition  only).  Indeed, 
all  subsequent  constructions  of  fully  homomorphic  encryption  [SV10,  DGHV10,  BV11]  relied  on 
ideals  in  various  rings  in  an  explicit  way.  Our  first  contribution  is  the  construction  of  a  “somewhat” 
homomorphic  encryption  scheme  whose  security  relies  solely  on  the  (worst-case,  classical)  hardness 
of  standard  problems  on  arbitrary  (not  necessarily  ideal)  lattices. 

Secondly,  in  order  to  achieve  full  homomorphism,  Gentry  had  to  go  through  a  so-called  “squash¬ 
ing  step”  which  forced  him  to  make  an  additional  very  strong  hardness  assumption  -  namely,  the 
hardness  of  the  (average-case)  sparse  subset-sum  problem.  As  if  by  a  strange  law  of  nature,  all  the 
subsequent  solutions  encountered  the  same  difficulty  as  Gentry  did  in  going  from  a  “somewhat” 
to  a  fully  homomorphic  encryption,  and  they  all  countered  this  difficulty  by  relying  on  the  same 
sparse  subset-sum  assumption.  This  additional  assumption  was  considered  to  be  the  main  caveat 
of  Gentry’s  solution  and  removing  it  has  been,  perhaps,  the  main  open  problem  in  the  design  of 
fully  homomorphic  encryption  schemes.  Our  second  contribution  is  to  remove  the  necessity  of  this 
additional  assumption. 

Thus,  in  a  nutshell,  we  construct  a  fully  homomorphic  encryption  scheme  whose  security  is  based 
solely  on  the  classical  hardness  of  solving  standard  lattice  problems  in  the  worst-case.2  Specifically, 
out  scheme  is  based  on  the  learning  with  errors  (LWE)  assumption  that  is  known  to  be  at  least 
as  hard  as  solving  hard  problems  in  general  lattices.  Thus  our  solution  does  not  rely  on  lattices 
directly  and  is  fairly  natural  to  understand  and  implement. 

To  achieve  our  goals,  we  deviate  from  two  paradigms  that  ruled  the  design  of  (a  handful  of) 
candidate  fully  homomorphic  encryption  schemes  [Gen09b,  SV10,  DGHV10,  BV11]: 

1.  We  introduce  the  re-linearization  technique,  and  show  how  to  use  it  to  obtain  a  somewhat 
homomorphic  encryption  that  does  not  require  hardness  assumptions  on  ideals. 

1Roughly  speaking,  ideal  lattices  correspond  to  a  geometric  embedding  of  an  ideal  in  a  number  field.  See  [LPR10] 
for  a  precise  definition. 

2  Strictly  speaking,  under  this  assumption,  our  scheme  can  evaluate  polynomial-size  circuits  with  a-priori  bounded 
(but  arbitrary)  depth.  A  fully  homomorphic  encryption  scheme  independent  of  the  circuit  depth  can  be  obtained  by 
making  an  additional  “circular  security”  assumption.  See  Section  3. 
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2.  We  present  a  dimension-modulus  reduction  technique,  that  turns  our  somewhat  homomorphic 
scheme  into  a  fully  homomorphic  one,  without  the  need  for  the  artificial  squashing  step  and 
the  sparse  subset-sum  assumption. 

We  provide  a  detailed  overview  of  these  new  techniques  in  Sections  1.1,  1.2  below. 

Interestingly,  the  ciphertexts  of  the  resulting  fully  homomorphic  scheme  are  very  short.  This  is 
a  desirable  property  which  we  use,  in  conjunction  with  other  techniques,  to  achieve  very  efficient 
private  information  retrieval  protocols.  See  also  Section  1.3  below. 


1.1  Re-Linearization:  Somewhat  Homomorphic  Encryption  without  Ideals 

The  starting  point  of  Gentry’s  construction  is  a  “somewhat”  homomorphic  encryption  scheme.  For 
a  class  of  circuits  C,  a  C-homomorphic  scheme  is  one  that  allows  evaluation  of  any  circuit  in  the 
class  C.  The  simple,  yet  striking,  observation  in  Gentry’s  work  is  that  if  a  (slightly  augmented) 
decryption  circuit  for  a  C-homomorphic  scheme  resides  in  C,  then  the  scheme  can  be  converted  (or 
“bootstrapped”)  into  a  fully  homomorphic  encryption  scheme. 

It  turns  out  that  encryption  schemes  that  can  evaluate  a  non-trivial  number  of  addition  and 
multiplication  operations3  are  already  quite  hard  to  come  by  (even  without  requiring  that  they  are 
bootstrappable)  .4  Gentry’s  solution  to  this  was  based  on  the  algebraic  notion  of  ideals  in  rings. 
In  a  very  high  level,  the  message  is  considered  to  be  a  ring  element,  and  the  ciphertext  is  the 
message  masked  with  some  “noise”.  The  novelty  of  this  idea  is  that  the  noise  itself  belonged  to 
an  ideal  I.  Thus,  the  ciphertext  is  of  the  form  m  +  xl  (for  some  x  in  the  ring).  Observe  right 
off  the  bat  that  the  scheme  is  born  additively  homomorphic;  in  fact,  that  will  be  the  case  with 
all  the  schemes  we  consider  in  this  paper.  The  ideal  I  has  two  main  properties:  first,  a  random 
element  in  the  ideal  is  assumed  to  “mask”  the  message;  and  second,  it  is  possible  to  generate  a 
secret  trapdoor  that  “annihilates”  the  ideal,  i.e.,  implementing  the  transformation  rn  +  xl  — >  m. 
The  first  property  guarantees  security,  while  the  second  enables  multiplying  ciphertexts.  Letting 
ci  and  C2  be  encryptions  of  mi  and  m2  respectively, 

C1C2  =  (mi  +  x/)(m.2  +  yl)  =  mim.2  +  ( m\y  +  m^x  +  xyl)l  =  mim,2  +  zl 


When  decrypting,  the  ideal  is  annihilated  and  the  product  m\m2  survives.  Thus,  C1C2  is  indeed  an 
encryption  of  mi  m2,  as  required.  This  nifty  solution  required,  as  per  the  first  property,  a  hardness 
assumption  on  ideals  in  certain  rings.  Gentry’s  original  work  relied  on  hardness  assumptions  on 
ideal  lattices,  while  van  Dijk,  Gentry,  Halevi  and  Vaikuntanathan  [DGHV10]  presented  a  different 
instantiation  that  considered  ideals  over  the  integers. 

Our  somewhat  homomorphic  scheme  is  based  on  the  hardness  of  the  “learning  with  errors” 
(LWE)  problem,  first  presented  by  Regev  [Reg05].  The  LWE  assumption  states  that  if  s  G  Z™  is  an 
n  dimensional  “secret”  vector,  any  polynomial  number  of  “noisy”  random  linear  combinations  of 
the  coefficients  of  s  are  computationally  indistinguishable  from  uniformly  random  elements  in  7Lq. 
Mathematically, 


{a?:,(ai,s)  +  ei}^°11y(") 


fa.  ?,.\Poly(n) 
Ld*’  “*/*=! 


3  All  known  scheme,  including  ours,  treat  evaluated  functions  as  arithmetic  circuits.  Hence  we  use  the  terminology 
of  “addition  and  multiplication”  gates.  The  conversion  to  the  boolean  model  (AND,  OR,  NOT  gates)  is  immediate. 

4We  must  mention  here  that  we  are  interested  only  in  compact  fully  homomorphic  encryption  schemes,  namely 
ones  where  the  ciphertexts  do  not  grow  in  size  with  each  homomorphic  operation.  If  we  do  allow  such  growth  in  size, 
a  number  of  solutions  are  possible.  See,  e.g.,  [SYY99,  GHVlOa,  MGH10]. 
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where  a j  E  Z™  and  ut  E  Zg  are  uniformly  random,  and  the  “noise”  e*  is  sampled  from  a  noise  distri¬ 
bution  that  outputs  numbers  much  smaller  than  q  (an  example  is  a  discrete  Gaussian  distribution 
over  Zg  with  small  standard  deviation). 

The  LWE  assumption  does  not  refer  to  ideals,  and  indeed,  the  LWE  problem  is  at  least  as  hard 
as  finding  short  vectors  in  any  lattice ,  as  follows  from  the  worst-case  to  average-case  reductions  of 
Regev  [Reg05]  and  Peikert  [Pei09] .  As  mentioned  earlier,  we  have  a  much  better  understanding  of 
the  complexity  of  lattice  problems  (thanks  to  [LLL82,  Ajt98,  MicOO]  and  many  others),  compared 
to  the  corresponding  problems  on  ideal  lattices.  In  particular,  despite  considerable  effort,  the  best 
known  algorithms  to  solve  the  LWE  problem  run  in  time  nearly  exponential  in  the  dimension  n.5  The 
LWE  assumption  also  turns  out  to  be  particularly  amenable  to  the  construction  of  simple,  efficient 
and  highly  expressive  cryptographic  schemes  (e.g.,  [Reg05,  GPV08,  AGV09,  ACPS09,  CHKP10, 
ABB  10]  and  many  others).  Our  construction  of  a  fully  homomorphic  encryption  scheme  from  LWE 
is  perhaps  a  very  strong  testament  to  its  power  and  elegance. 

Constructing  a  (secret-key)  encryption  scheme  whose  security  is  based  on  the  LWE  assumption 
is  rather  straightforward.  To  encrypt  a  bit  m  E  {0, 1}  using  secret  key  s  E  Z™ ,  we  choose  a  random 
vector  a  E  Z™  and  a  “noise”  e  and  output  the  ciphertext 

c  =  (a,  b  =  (a,  s)  +  2e  +  m)  E  Z™  x  Zg 

The  key  observation  in  decryption  is  that  the  two  “masks”  -  namely,  the  secret  mask  (a,  s)  and 
the  “even  mask”  2e  -  do  not  interfere  with  each  other.6  That  is,  one  can  decrypt  this  ciphertext 
by  annihilating  the  two  masks,  one  after  the  other:  The  decryption  algorithm  first  re-computes 
the  mask  (a,  s)  and  subtracts  it  from  b,  resulting  in  2e  +  m  (mod  q).  Since  e<?,  then  2e  +  m 
(mod  q)  =  2e  +  m.  Removing  the  even  mask  is  now  easy  -  simply  compute  2e  +  m  modulo  2. 

As  we  will  see  below,  the  scheme  is  naturally  additive  homomorphic,  yet  multiplication  presents 
a  thorny  problem.  In  fact,  a  recent  work  of  Gentry,  Halevi  and  Vaikuntanathan  [GHVlOb]  showed 
that  (a  slight  variant  of)  this  scheme  supports  just  a  single  homomorphic  multiplication,  but  at  the 
expense  of  a  huge  blowup  to  the  ciphertext  which  made  further  advance  impossible. 

To  better  understand  the  homomorphic  properties  of  this  scheme,  let  us  shift  our  focus  away 
from  the  encryption  algorithm,  on  to  the  decryption  algorithm.  Given  a  ciphertext  (a,  b),  consider 
the  symbolic  linear  function  :  Z™  -A  7Lq  defined  as: 

n 

/a ,&(x)  =  b  -  (a,  x)  (mod  q)  =  6  -  ^  a[i]  •  x[i]  E  Zg 

1=1 

where  x  =  (x[l], . . . ,  x[n])  denotes  the  variables,  and  (a,  b)  forms  the  public  coefficients  of  the  linear 
equation.  Clearly,  decryption  of  the  ciphertext  (a,  b)  is  nothing  but  evaluating  this  function  on  the 
secret  key  s  (and  then  taking  the  result  modulo  2). 8 

sThe  nearly  exponential  time  is  for  a  large  enough  error  (i.e.,  one  that  is  a  l/poly(n)  fraction  of  the  modulus  q). 
For  smaller  errors,  as  we  will  encounter  in  our  scheme,  there  are  better  -  but  not  significantly  better  -  algorithms. 
In  particular,  if  the  error  is  a  1/2"  fraction  of  the  modulus  q ,  the  best  known  algorithm  runs  in  time  approx.  2n 

6We  remark  that  using  2e  instead  of  e  as  in  the  original  formulation  of  LWE  does  not  adversely  impact  security, 
so  long  as  q  is  odd  (since  in  that  case  2  is  a  unit  in  Zq). 

'Although  the  simplified  presentation  of  Gentry’s  scheme  above  seems  to  deal  with  just  one  mask  (the  “secret 
mask”),  in  reality,  the  additional  “even  mask”  existed  in  the  schemes  of  [Gen09b,  DGHV10]  as  well.  Roughly  speaking, 
they  needed  this  to  ensure  semantic  security,  as  we  do. 

8The  observation  that  an  LWE-based  ciphertext  can  be  interpreted  as  a  linear  equation  of  the  secret  was  also  used 
in  [BV11]. 
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Homomorphic  addition  and  multiplication  can  now  be  described  in  terms  of  this  function  /. 
Adding  two  ciphertexts  corresponds  to  the  addition  of  two  linear  functions,  which  is  again  another 
linear  function.  In  particular,  /(a+a ',&+&') (x)  =  /a,f>(x)  +  /(a',b')(x)  the  linear  function  correspond¬ 
ing  to  the  “homomorphically  added”  ciphertext  (a  +  a',  fr  +  fr').  Similarly,  multiplying  two  such 
ciphertexts  corresponds  to  a  symbolic  multiplication  of  these  linear  equations 

/(a,6)(x)  •  /(a',6)(x)  =  (b  ~  a[®]x[*D  '  (b'  ~  “'[WD 

=  ho  +  'Eht.  x[«]  +  ^2  hi, j  ■  x[i]x[j]  , 

which  results  in  a  degree-2  polynomial  in  the  variables  x  =  (x[l], . . . , x[n]),  with  coefficients  fry 
that  can  be  computed  from  (a,  fr )  and  (a7,  b')  by  opening  parenthesis  of  the  expression  above. 
Decryption,  as  before,  involves  evaluating  this  quadratic  expression  on  the  secret  key  s  (and  then 
reducing  modulo  2).  We  now  run  into  a  serious  problem  -  the  decryption  algorithm  has  to  know 
all  the  coefficients  of  this  quadratic  polynomial,  which  means  that  the  size  of  the  ciphertext  just 
went  up  from  n  +  1  elements  to  (roughly)  n2/2. 

This  is  where  our  re-linearization  technique  comes  into  play.  Re-linearization  is  a  way  to  reduce 
the  size  of  the  ciphertext  back  down  to  n  +  1.  The  main  idea  is  the  following:  imagine  that  we 
publish  “encryptions”  of  all  the  linear  and  quadratic  terms  in  the  secret  key  s,  namely  all  the 
numbers  s[i]  as  well  as  s[i]s[j],  under  a  new  secret  key  t.  Thus,  these  ciphertexts  (for  the  quadratic 
terms)  look  like  (a y,fry)  where 

bi,j  =  (ay,  t)  +  2  eitj  +  s[z]  •  s[j]  «  (ay,  t)  +  s[i]  •  s \j]  ,9 
Now,  the  sum  ho  +  )T)  fr,  ■  s[i]  +  ^  fry  •  s[-i]s[j]  can  be  written  (approximately)  as 

h0  T  ^  "  hi  {bi  ( a, ,  t))  T  ^  )  hi,j  ■  (fry  (ay,  t))  , 

which,  lo  and  behold,  is  a  linear  function  in  t!  The  bottom-line  is  that  multiplying  the  two  linear 
functions  /(a,&)  and  f{a.',b')  and  then  re-linearizing  the  resulting  expression  results  in  a  linear  function 
(with  n  +  1  coefficients),  whose  evaluation  on  the  new  secret  key  t  results  in  the  product  of  the  two 
original  messages  (upon  reducing  modulo  2).  The  resulting  ciphertext  is  simply  the  coefficients  of 
this  linear  function,  of  which  there  are  at  most  n  +  1.  This  ciphertext  will  decrypt  to  m  ■  nn!  using 
the  secret  key  t. 

In  this  semi-formal  description,  we  ignored  an  important  detail  which  has  to  do  with  the  fact 
that  the  coefficients  /iy  are  potentially  large.  Thus,  even  though  (fry  —  (ay,t))  «  s[i]s[j],  it  may 
be  the  case  that  /iy  •  (fry  —  (ay,t))  56  fry  •  s[i]s[j].  This  is  handled  by  considering  the  binary 
representation  of  fry,  namely  fry  =  ^r=o^  •  fry)T.  If,  for  each  value  of  r,  we  had  a  pair 

(a yyjfryy)  such  that 

fry,r  =  (ay,T,t)  +  2 ey,T  +  2rs[i]  •  s \j]  ss  (ay,r,t)  +  2rs[i]  •  s \j\  , 

then  indeed 

U°g  9J  Li°g  <jJ 

h{.j  ■  s[i]s\j]  —  ^  '  hij,r 2  s[i]s[j]  ~  ^  )  hi  jT{bi  jT  (ajj]T,t))  , 

T— 0  T  — 0 

9Actually,  calling  these  “encryptions”  is  inaccurate:  s[i]  •  s[j]  €  Z9  is  not  a  single  bit  and  therefore  the  “ciphertext” 
cannot  be  decrypted.  However,  we  feel  that  thinking  of  these  as  encryptions  may  benefit  the  reader’s  intuition. 
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since  hijjT  G  {0, 1}.  This  increases  the  number  of  pairs  we  need  to  post  by  a  factor  of  (|_loggJ  +  1), 
which  is  polynomial. 

This  process  allows  us  to  do  one  multiplication  without  increasing  the  size  of  the  ciphertext, 
and  obtain  an  encryption  of  the  product  under  a  new  secret  key.  But  why  stop  at  two  keys  s  and  t? 
Posting  a  “chain”  of  L  secret  keys  (together  with  encryptions  of  quadratic  terms  of  one  secret  key 
using  the  next  secret  key)  allows  us  to  perform  up  to  L  levels  of  multiplications  without  blowing 
up  the  ciphertext  size.  It  is  possible  to  achieve  multiplicative  depth  L  =  e  log  n  (which  corresponds 
to  a  degree  D  =  ne  polynomial)  for  an  arbitrary  constant  e  <  1  under  reasonable  assumptions, 
but  beyond  that,  the  growth  of  the  error  in  the  ciphertext  kicks  in,  and  destroys  the  ciphertext. 
Handling  this  requires  us  to  use  the  machinery  of  bootstrapping,  which  we  explain  in  the  next 
section. 

In  conclusion,  the  above  technique  allows  us  to  remove  the  need  for  “ideal  assumptions”  and 
obtain  somewhat  homomorphic  encryption  from  LWE.  This  scheme  will  be  a  building  block  towards 
our  full  construction  and  is  formally  presented  in  Section  4.1. 

1.2  Dimension-Modulus  Reduction:  Fully  Homomorphic  Encryption  Without 
Squashing 

As  explained  above,  the  “bootstrapping”  method  for  achieving  full  homomorphism  requires  a  C- 
homomorphic  scheme  whose  decryption  circuit  resides  in  C.  All  prior  somewhat  homomorphic 
schemes  fell  short  in  this  category  and  failed  to  achieve  this  requirement  in  a  natural  way.  Thus 
Gentry,  followed  by  all  other  previous  schemes,  resorted  to  “squashing”:  a  method  for  reducing 
the  decryption  complexity  at  the  expense  of  making  an  additional  and  fairly  strong  assumption, 
namely  the  sparse  subset  sum  assumption. 

We  show  how  to  “upgrade”  our  somewhat  homomorphic  scheme  (explained  in  Section  1.1)  into 
a  scheme  that  enjoys  the  same  amount  of  homomorphism  but  has  a  much  smaller  decryption  circuit. 
All  of  this,  without  making  any  additional  assumption  (beyond  LWE)! 

Our  starting  point  is  the  somewhat  homomorphic  scheme  from  Section  1.1.  Recall  that  a 
ciphertext  in  that  scheme  is  of  the  form  (a,  b  =  (a,  s)  +  2e  +  m)  G  Z™  x  Zg,  and  decryption  is  done 
by  computing  ( b  —  (a,  s)  mod  q)  (mod  2).  One  can  verify  that  this  computation,  presented  as  a 
polynomial  in  the  bits  of  s,  has  degree  at  least  max(n,  log  q ),  which  is  more  than  the  maximal  degree 
D  that  our  scheme  can  homomorphically  evaluate.  The  bottom  line  is  that  decryption  complexity 
is  governed  by  (n,logq)  which  are  too  big  for  our  homomorphism  capabilities. 

Our  dimension-modulus  reduction  idea  enbales  us  to  take  a  ciphertext  with  parameters  (n,  log  q) 
as  above,  and  convert  it  into  a  ciphertext  of  the  same  message,  but  with  parameters  ( k ,  logp)  which 
are  much  smaller  than  (n,logq).  To  give  a  hint  as  to  the  magnitude  of  improvement,  we  typically 
set  k  to  be  of  size  the  security  parameter  and  p  =  poly  (A;).  We  can  then  set  n  =  kc  for  essentially 
any  constant  c,  and  q  =  2n  .  We  will  thus  be  able  to  homomorphically  evaluate  functions  of  degree 
roughly  D  =  ne  =  kc'e  and  we  can  choose  c  to  be  large  enough  so  that  this  is  sufficient  to  evaluate 
the  (k,logp)  decryption  circuit. 

To  understand  dimension-modulus  reduction  technically,  we  go  back  to  re-linearization.  We 
showed  above  that,  posting  proper  public  parameters,  one  can  convert  a  ciphertext  (a,  b  =  (a,  s)  + 
2e  +  to),  that  corresponds  to  a  secret  key  s,  into  a  ciphertext  (a ' ,b'  =  (a',t)  +  2e'  +  m)  that 
corresponds  to  a  secret  key  t.10  The  crucial  observation  is  that  s  and  t  need  not  have  the  same 

1(,In  the  previous  section,  we  applied  re-linearization  to  a  quadratic  function  of  s,  while  here  we  apply  it  to  the 
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dimension  n.  Specifically,  if  we  chose  t  to  be  of  dimension  k,  the  procedure  still  works.  This  brings 
us  down  from  (n,  logg)  to  (k,\ogq),  which  is  a  big  step  but  still  not  sufficient. 

Having  the  above  observation  in  mind,  we  wonder  if  we  can  take  t  to  have  not  only  low  dimension 
but  also  small  modulus  p,  thus  completing  the  transition  from  (n,  log  q )  to  (k,  logp).  This  is  indeed 
possible  using  some  additional  ideas,  where  the  underlying  intuition  is  that  Zp  can  “approximate” 
Z q  by  simple  scaling,  up  to  a  small  error. 

The  public  parameters  for  the  transition  from  s  to  t  will  be  (a^T,  6jiT)  £  Z*  x  Zp,  where 


bi^r  —  t)  T  c  T 


-  •  2T 


SI 


11 


Namely,  we  scale  2r  •  s[i]  6  Zg  into  an  element  in  Zp  by  multiplying  by  p/q  and  rounding.  The 
rounding  incurs  an  additional  error  of  magnitude  at  most  1/2.  It  follows  that 

T  •  s[z]  «  -  •  (bi  T  -  (ai  r,  t})  , 
p 

which  enables  converting  a  linear  equation  in  s  into  a  linear  equation  in  t.  The  result  of  dimension- 
modulus  reduction,  therefore,  is  a  ciphertext  (a,  6)  £  Zj  x  Zp  such  that  b  —  (a,  t)  =  m  +  2e.  For 
security,  we  need  to  assume  the  hardness  of  LWE  with  parameters  k,p.  We  can  show  that  in  the 
parameter  range  we  use,  this  assumption  is  as  hard  as  the  one  used  for  the  somewhat  homomorphic 
scheme.12 

In  conclusion,  dimension-modulus  reduction  allows  us  to  achieve  a  bootstrappable  scheme,  based 
on  the  LWE  assumption  alone.  We  refer  the  reader  to  Section  4  for  the  formal  presentation  and  full 
analysis  of  our  entire  solution.  Specifically,  dimension-modulus  reduction  is  used  for  the  scheme  in 
Section  4.2. 

As  a  nice  byproduct  of  this  technique,  the  ciphertexts  of  the  resulting  fully  homomorphic  scheme 
become  very  short!  They  now  consist  of  (k  +  1)  logp  =  0(k  log  k)  bits.  This  is  a  desirable  property 
which  is  also  helpful  in  achieving  efficient  private  information  retrieval  protocols  (see  below). 


1.3  Near-Optimal  Private  Information  Retrieval 

In  (single-server)  private  information  retrieval  (PIR)  protocols,  a  very  large  database  is  maintained 
by  a  sender  (the  sender  is  also  sometimes  called  the  server,  or  the  database).  A  receiver  wishes 
to  obtain  a  specific  entry  in  the  database,  without  revealing  any  information  about  the  entry 
to  the  server.  Typically,  we  consider  databases  that  are  exponential  in  the  security  parameter 
and  hence  we  wish  that  the  receiver’s  running  time  and  communication  complexity  are  polylog- 
arithmic  in  the  size  of  the  database  N  (at  least  log  IV  bits  are  required  to  specify  an  entry  in 
the  database).  The  first  polylogarithmic  candidate  protocol  was  presented  by  Cachin,  Micali  and 
Stadler  [CMS99]  and  additional  polylograithmic  protocols  were  introduced  by  Lipmaa  [Lip05]  and 
by  Gentry  and  Ramzan  [GR05].  Of  which,  the  latter  achieves  the  best  communication  complexity 

ciphertext  (a,  b)  that  corresponds  to  a  linear  function  of  s.  This  only  makes  things  easier. 

nA  subtle  technical  point  refers  to  the  use  of  an  error  term  e,  instead  of  2e  as  we  did  for  re-linearization.  The 
reason  is  roughly  that  ^  •  2  is  non-integer.  Therfore  we  “divide  by  2”  before  performing  the  dimension-reduction  and 
“multiply  back”  by  2  after. 

12For  the  informed  reader  we  mention  that  while  k,p  are  smaller  than  n,  q  and  therefore  seem  to  imply  lesser 
security,  we  are  able  to  use  much  higher  relative  noise  in  our  k,p  scheme  since  it  needs  not  support  homomorphism. 
Hence  the  two  assumptions  are  of  roughly  the  same  hardness. 
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of  O(log3-°(1)(A0).13  The  latter  two  protocols  achieve  constant  amortized  communication  com¬ 
plexity  when  retrieving  large  consecutive  blocks  of  data.  See  a  survey  in  [OS07]  for  more  details  on 
these  schemes. 

Fully  homomorphic,  or  even  somewhat  homomorphic,  encryption  is  known  to  imply  polylog- 
arithmic  PIR  protocols.14  Most  trivially,  the  receiver  can  encrypt  the  index  it  wants  to  query, 
and  the  database  will  use  that  to  homomorphically  evaluate  the  database  access  function,  thus 
retrieving  an  encryption  of  the  answer  and  sending  it  to  the  receiver.  The  total  communication 
complexity  of  this  protocol  is  the  sum  of  lengths  of  the  public  key,  encryption  of  the  index  and 
output  ciphertext.  However,  the  public  key  is  sent  only  once,  it  is  independent  of  the  database  and 
the  query,  and  it  can  be  used  for  many  queries.  Therefore  it  is  customary  to  analyze  such  schemes 
in  the  public  key  model  where  sending  the  public  key  does  not  count  towards  the  communication 
complexity.  Gentry  [Gen09a]  proposes  to  use  his  somewhat  homomorphic  scheme  towards  this  end, 
which  requires  0(log3IV)  bit  communication.15  We  show  how,  using  our  somewhat  homomorphic 
scheme,  in  addition  to  new  ideas,  we  can  bring  down  communication  complexity  to  a  near  optimal 
log  IV  •  polyloglog  N  (one  cannot  do  better  than  log  IV).  To  obtain  the  best  parameters,  one  needs 
to  assume  2fl(G-hardness  of  polynomial-factor  approximation  for  short  vector  problems  in  arbitrary 
dimension  k  lattices,  which  is  supported  by  current  knowledge.  Details  follow. 

A  major  obstacle  in  the  naive  use  of  somewhat  homomorphic  encryption  for  PIR  is  that  ho¬ 
momorphism  is  obtained  with  respect  to  the  boolean  representation  of  the  evaluated  function. 
Therefore,  the  receiver  needs  to  encrypt  the  index  to  the  database  in  a  bit-by-bit  manner.  The 
query  is  then  composed  of  logiV  ciphertexts,  which  necessitate  at  least  log2  N  bits  of  communica¬ 
tion.  As  a  first  improvement,  we  notice  that  the  index  needs  not  be  encrypted  under  the  somewhat 
homomorphic  scheme.  Rather,  we  can  encrypt  using  any  symmetric  encryption  scheme.  The 
database  will  receive,  an  encrypted  symmetric  key  (under  the  homomorphic  scheme),  which  will 
enable  it  to  convert  symmetric  ciphertexts  into  homomorphic  ciphertexts  without  additional  com¬ 
munication.  The  encrypted  secret  key  can  be  sent  as  a  part  of  the  public  key  as  it  is  independent 
of  the  query.  This,  of  course,  requires  that  our  somewhat  homomorphic  scheme  can  homomorphi¬ 
cally  evaluate  the  decryption  circuit  of  the  symmetric  scheme.  Fully  homomorphic  schemes  will 
certainly  be  adequate  for  this  purpose,  but  known  somewhat  homomorphic  schemes  are  also  suf¬ 
ficient  (depending  on  the  symmetric  scheme  to  be  used).  Using  the  most  communication  efficient 
symmetric  scheme,  we  bring  down  the  query  complexity  to  0(log  IV).  As  for  the  sender’s  response, 
our  dimension-modulus  reduction  technique  guarantees  very  short  ciphertexts  (essentially  as  short 
as  non- homomorphic  LWE  based  schemes).  This  translates  into  log IV  •  polyloglog N  bits  per  ci¬ 
phertext,  and  the  communication  complexity  of  our  protocol  follows.  We  remark  that  in  terms  of 
retrieving  large  blocks  of  consecutive  data,  one  can  slightly  reduce  the  overhead  to  O  (log  IV)  bits 
of  communication  for  every  bit  of  retrieved  data.  We  leave  it  as  an  open  problem  to  bring  the 
amortized  communication  down  to  a  constant.  See  Section  5  for  the  full  details. 

Prior  to  this  work,  it  was  not  at  all  known  how  to  achieve  even  polylogarithmic  PIR  under 
the  LWE  assumption.  We  stress  that  even  if  the  size  of  the  public  key  does  count  towards  the 

13It  is  hard  to  compare  the  performance  of  different  PIR  protocols  due  to  the  multitude  of  parameters.  To  make 
things  easier  to  grasp,  we  compare  the  protocols  on  equal  grounds:  We  assume  that  the  database  size  and  the 
adversary’s  running  time  are  exponential  in  the  security  parameter  and  assume  the  maximal  possible  hardness  of 
the  underlying  assumption  against  known  attacks.  We  also  assume  that  each  query  retrieves  a  single  bit.  We  will 
explicitly  mention  special  properties  of  individual  protocols  that  are  not  captured  by  this  comparison. 

14To  be  precise,  one  needs  sub-exponentially  secure  such  schemes. 

lsGentry  does  not  provide  a  detailed  analysis  of  this  scheme,  the  above  is  based  on  our  analysis  of  its  performance. 
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communication  complexity,  our  protocol  still  has  polylogarithmic  communication. 

1.4  Other  Related  Work 

Aside  from  Gentry’s  scheme  (and  a  variant  thereof  by  Smart  and  Vercauteren  [SV10]  and  an 
optimization  by  Stehle  and  Steinfeld  [SS 10] ) ,  there  are  two  other  fully  homomorphic  encryption 
schemes  [DGHV10,  BV11],  The  innovation  in  both  these  schemes  is  the  construction  of  a  new 
somewhat  homomorphic  encryption  scheme.  Both  these  works  then  invoke  Gentry’s  squashing  and 
bootstrapping  transformation  to  convert  it  to  a  fully  homomorphic  scheme,  and  thus  the  security  of 
both  these  schemes  relies  on  the  sparse  subset-sum  assumption  (plus  other  assumptions).  The  first 
of  these  schemes  is  due  to  van  Dijk,  Gentry,  Halevi  and  Vaikuntanathan  [DGHV10].  Their  scheme 
works  over  the  integers  and  relies  on  a  new  assumption  which,  roughly  speaking,  states  that  finding 
the  greatest  common  divisor  of  many  “noisy”  multiples  of  a  number  is  computationally  hard.  They 
cannot,  however,  reduce  their  assumption  to  worst-case  hardness.  The  second  is  a  recent  work  of 
Brakerski  and  Vaikuntanathan  [BV11],  who  construct  a  somewhat  homomorphic  encryption  scheme 
based  on  the  ring  LWE  problem  [LPR10]  whose  security  can  be  reduced  to  the  worst-case  hardness 
of  problems  on  ideal  lattices. 

The  efficiency  of  implementing  Gentry’s  scheme  also  gained  much  attention.  Smart  and  Ver¬ 
cauteren  [SV10],  as  well  as  Gentry  and  Halevi  [GHllb]  conduct  a  study  on  reducing  the  complexity 
of  implementing  the  scheme. 

In  a  recent  independent  work,  Gentry  and  Halevi  [GHlla]  showed  how  the  sparse  subset  sum 
assumption  can  be  replaced  by  either  the  (decisional)  Diffie-Hellman  assumption  or  an  ideal  lattice 
assumption,  by  representing  the  decryption  circuit  as  an  arithmetic  circuit  with  only  one  level  of 
(high  fan-in)  multiplications. 

1.5  Paper  Organization 

Some  preliminaries  and  notation  are  described  in  Section  2.  We  formally  define  somewhat  and  fully 
homomorphic  encryption  and  present  the  bootstrapping  theorem  in  Section  3.  The  main  technical 
section  of  this  paper  is  Section  4,  where  our  scheme  is  presented  and  fully  analyzed.  Lastly,  our 
private  information  retrieval  protocol  is  presented  in  Section  5. 

2  Preliminaries 

Notations.  Let  V  denote  a  distribution  over  some  finite  set  S.  Then,  x  e-  V  is  used  to  denote 
the  fact  that  x  is  chosen  from  the  distribution  V.  When  we  say  x  S,  we  simply  mean  that  x 
is  chosen  from  the  uniform  distribution  over  S.  Unless  explicitly  mentioned,  all  logarithms  are  to 
base  2. 

In  this  work,  we  utilize  “noise”  distributions  over  integers.  The  only  property  of  these  distri¬ 
butions  we  use  is  their  magnitude.  Hence,  we  define  a  R-bounded  distribution  to  be  a  distribution 
over  the  integers  where  the  magnitude  of  a  sample  is  bounded  with  high  probability.  A  definition 
follows. 

Definition  2.1  (R-bounded  distributions).  A  distribution  ensemble  {XnjneN;  supported  over  the 
integers,  is  called  B-bounded  if 

Pr  [|e|  >  B\  <  2“Q(n)  . 

$ 

e<-Xn 
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We  denote  scalars  in  plain  (e.g.  x)  and  vectors  in  bold  lowercase  (e.g.  v),  and  matrices  in  bold 
uppercase  (e.g.  A).  The  fi  norm  of  a  vector  is  denoted  by  ||v||,..  Inner  product  is  denoted  by  (v,  u), 
recall  that  (v,  u)  =  vT  ■  u.  Let  v  be  an  n  dimensional  vector.  For  all  i  =  1, . . . ,  n,  the  ith  element 
in  v  is  denoted  v[i].  We  use  the  convention  that  v[0]  =  1. 

We  use  the  following  variant  of  the  leftover  hash  lemma  [ILL89]. 

Lemma  2.1  (matrix-vector  leftover  hash  lemma).  Let  k  6  N,  n  6  N,  g  6  N,  and  m  >  n  log  g  +  2k. 
Let  A  G-  Z”ixn  be  a  uniformly  random  matrix,  let  r  <£-  {0,  l}m  and  let  y  G-  Z™.  Then, 

A  ((A,  ATr),  (A,  y))  <  2~K 

where  A(A,  B )  denotes  the  statistical  distance  between  the  distributions  A  and  B. 

2.1  Learning  With  Errors  (LWE) 

The  LWE  problem  was  introduced  by  Regev  [Reg05]  as  a  generalization  of  “learning  parity  with 
noise”.  For  positive  integers  n  and  q  >  2,  a  vector  s  G  Z“,  and  a  probability  distribution  y  on  7Lq, 
let  ASiX  be  the  distribution  obtained  by  choosing  a  vector  a  <—  Z™  uniformly  at  random  and  a  noise 
term  e  G-  y,  and  outputting  (a,  (a,  s)  +  e)  £  Z™  xZ9.  A  formal  definition  follows. 

Definition  2.2  (LWE).  For  an  integer  q  =  q(n )  and  an  error  distribution  y  =  y(n)  over  Zq,  the 
learning  with  errors  problem  LWE,t)m!g>x  is  defined  as  follows:  Given  m  independent  samples  from 
AS)X  (for  some  s  £  Z ™),  output  s  with  noticeable  probability. 

The  (average-case)  decision  variant  of  the  LWE  problem,  denoted  DLWEnimi(JjX,  is  to  distinguish 
( with  non-negligible  advantage)  m  samples  chosen  according  to  ASjX  (for  uniformly  random  s  G-  Z™ ), 
fromm  samples  chosen  according  to  the  uniform  distribution  over  Z”xZg.  We  denote  by  DLWEnig)X 
the  variant  where  the  adversary  gets  oracle  access  to  AS)X,  and  is  not  a-priori  bounded  in  the  number 
of  samples. 

For  cryptographic  applications  we  are  primarily  interested  in  the  average  case  decision  problem 
DLWE,  where  s  Z”.  There  are  known  quantum  [Reg05]  and  classical  [Pei09]  reductions  between 
DLWEni„ji(?]X  and  approximating  short  vector  problems  in  lattices.  Specifically,  these  reductions  take 
y  to  be  (discretized  versions  of)  the  Gaussian  distribution,  which  is  R-bounded  for  an  appropriate 
B.  Since  the  exact  distribution  y  does  not  matter  for  our  results,  we  state  a  corollary  of  the  results 
of  [Reg05,  Pei09]  in  terms  of  the  bound  on  the  distribution. 

Corollary  2.2  ([Reg05,  Pei09]).  Let  q  =  q(n )  £  N  be  a  product  of  co-prime  numbers  q  =  \\qi  such 
that  for  all  i,  qi  =  poly(n),  and  let  B  >  n.  Then  there  exists  an  efficiently  sampleable  B-bounded 
distribution  y  such  that  if  there  is  an  efficient  algorithm  that  solves  the  (average-case)  DLWE„jg)X 
problem.  Then: 

•  There  is  a  quantum  algorithm  that  solves  SIVP o(n^/h-q/B)  ant^  gaP d(ns/n-q/B)  on  and  n" 
dimensional  lattice,  and  runs  in  time  poly(n). 

•  There  is  a  classical  algorithm  that  solves  the  fi-to-'y  decisional  shortest  vector  problem  gapSVP^, 
where  7  =  0(ny/n  ■  q/B ),  and  (  =  0(qy/n),  on  any  n-dimensional  lattice,  and  runs  in  time 
poly  (n). 
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We  refer  the  reader  to  [Reg05,  Pei09]  for  the  formal  definition  of  these  lattice  problems,  as  they 
have  no  direct  connection  to  this  work.  We  only  note  here  that  the  best  known  algorithms  for  these 
problems  run  in  time  nearly  exponential  in  the  dimension  n  [AKS01,  MV10].  More  generally,  the 
best  algorithms  that  approximate  these  problems  to  within  a  factor  of  2k  run  in  time  2°^n^k\ 

2.2  Symmetric  Encryption 

A  symmetric  encryption  scheme  SYM  =  (SYM. Keygen,  SYM.Enc,  SYM. Dec),  over  message  space 
M.  =  {AtK}K£N,  is  a  triple  of  PPT  algorithms  as  follows.  We  always  denote  the  security  parameter 
by  k. 

•  Key  generation.  The  algorithm  sk<—  SYM. Keygen (1K)  takes  a  unary  representation  of  the 
security  parameter  and  outputs  symmetric  encryption/decryption  key  sk. 

•  Encryption.  The  algorithm  c-(— SYM.Encsfc(^)  takes  the  symmetric  key  sk  and  a  message 
H  e  Mk  and  outputs  a  ciphertext  c. 

•  Decryption.  The  algorithm  SYM.Decsfc(c)  takes  the  symmetric  key  sk  and  a  ciphertext 
c  and  outputs  a  message  /a*  £  JAK. 

Correctness  and  security  against  chosen  plaintext  attacks  (IND-CPA  security)  are  defined  as 
follows. 

Definition  2.3.  A  symmetric  scheme  SYM  is  correct  if  for  all  n  and  all  ski—  SYM.  Keygen  (1K), 

Pr [SYM . Dec,,/; (SYM . Enc,* (//)  ^  n}=  negl(re)  , 
where  the  probability  is  over  the  coins  of  SYM. Keygen,  SYM.Enc. 

Definition  2.4.  A  symmetric  scheme  SYM  is  ( t,e)-IND-CPA  secure  if  for  any  adversary  A  that 
runs  in  time  t  it  holds  that 

Pr[v4SYM'EnCsfc(')(lre)  =  1]  -  Pr[ASYME"Csfe(0)(lK)  =  j]  <  £ 

where  the  probability  is  over  s/c<—SYM.Keygen(lK),  the  coins  of  SYM.Enc  and  the  coins  of  the 
adversary  A. 

Namely,  no  adversary  can  distinguish  between  an  oracle  that  encrypts  messages  of  its  choice 
and  an  oracle  that  only  returns  encryptions  of  0  (where  0  is  some  arbitrary  element  in  the  message 
space). 

3  Homomorphic  Encryption:  Definitions  and  Tools 

In  this  section  we  discuss  the  definition  of  homomorphic  encryption  and  its  properties  as  well  as 
some  related  subjects.  We  start  by  defining  homomorphic  and  fully  homomorphic  encryption  in 
Section  3.1.  Then,  in  Section  3.2  we  discuss  Gentry’s  bootstrapping  theorem. 

We  note  that  there  are  a  number  of  ways  to  define  homomorphic  encryption  and  to  describe 
the  bootstrapping  theorem.  We  chose  the  definitions  that  best  fit  the  constructions  and  we  urge 
even  the  knowledgeable  reader  to  go  over  them  so  as  to  avoid  confusion  in  interpreting  our  results. 
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3.1  Homomorphic  Encryption  —  Definitions 

We  now  define  homomorphic  encryption  and  its  desired  properties.  Throughout  this  section  (and 
this  work)  we  use  k  to  indicate  the  security  parameter.  In  addition,  all  schemes  in  this  paper 
encrypt  bit-by-bit  and  therefore  our  definitions  only  refer  to  this  case.  The  generalization  to  an 
arbitrary  message  space  is  immediate. 

A  homomorphic  (public-key)  encryption  scheme  HE  =  (HE. Keygen,  HE.Enc,  HE. Dec,  HE.Eval)  is 
a  quadruple  of  PPT  algorithms  as  follows. 

•  Key  generation.  The  algorithm  (pk,  evk,  sk)<—  HE.Keygen(lK)  takes  a  unary  representation 
of  the  security  parameter  and  outputs  a  public  encryption  key  pk,  a  public  evaluation  key 
evk  and  a  secret  decryption  key  sk. 

•  Encryption.  The  algorithm  c«—  HE.Encpfc(^)  takes  the  public  key  pk  and  a  single  bit  message 
//  G  {0, 1}  and  outputs  a  ciphertext  c. 

•  Decryption.  The  algorithm  p*<—  HE.Decsfc(c)  takes  the  secret  key  sk  and  a  ciphertext  c  and 
outputs  a  message  p*  6  {0, 1}. 

•  Homomorphic  evaluation.  The  algorithm  Cf4—  HE.Evale„fc(/,  ci, . . . ,  eg)  takes  the  evalua¬ 
tion  key  evk,  a  function  /:{0,1}£— >{0,1}  and  a  set  of  t  ciphertexts  c\, ...  ,cg,  and  outputs 
a  ciphertext  Cf. 

The  representation  of  the  function  /  is  an  important  issue.  Since  the  representation  can  vary 
between  schemes,  we  leave  this  issue  outside  of  this  syntactic  definition.  We  remark,  however, 
that  in  this  work,  /  will  be  represented  by  an  arithmetic  circuit  over  GF(2). 

We  note  that  while  one  can  treat  the  evaluation  key  as  a  part  of  the  public  key,  as  has  been  done 
in  the  literature  so  far,  we  feel  that  there  is  an  expository  value  to  treating  it  as  a  separate  entity 
and  to  distinguishing  between  the  public  elements  that  are  used  for  encryption  and  those  that  are 
used  only  for  homomorphic  evaluation. 

The  only  security  notion  we  consider  in  this  chapter  is  semantic  security,  namely  security  w.r.t. 
passive  adversaries.  We  use  its  widely  known  formulation  as  IND-CPA  security,  defined  as  follows. 

Definition  3.1  (CPA  security).  A  scheme  HE  is  IND-CPA  secure  if  for  any  polynomial  time 
adversary  A  it  holds  that 

AdvcpA [A]  A  |Pr [A(pk,evk,  HE.EnCpfc(O))  =  1]  —  Pr [A(pk,  evk,  HE.Encpfc(0))  =  1]|  =  negl(/«)  , 
where  (pk,  evk,  sk)<r- HE.Keygen(lK). 

In  fact,  based  on  the  best  known  about  lattices,  the  schemes  we  present  in  this  paper  will 
be  secure  against  even  stronger  adversaries.  In  order  for  our  reductions  to  make  sense  for  such 
adversaries  as  well,  we  also  consider  a  parameterized  version  of  CPA  security.  There,  we  allow  the 
adversary  to  run  in  time  t  (which  is  typically  super-polynomial)  and  succeed  with  probability  e 
(which  is  typically  sub-polynomial). 

Definition  3.2  ((t,  e)-CPA  security).  A  scheme  HE  is  (t,e)-IND-CPA  secure  if  for  any  adversary 
A  that  runs  in  time  t.  for  t  =  t(n)  it  holds  that 

AdvcpA[-4]  =  |Pr [A(pk,  evk,  HE.Encpfc(0))  =  1]  —  Pr [A(pk,evk,  HE.Encpfc(0))  =  1]|  <  e  =  e(n)  , 
where  (pk,  evk,  sk)<r- HE.Keygen(lK). 
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We  move  on  to  define  the  homomorphism  property.  Note  that  we  do  not  define  the  “correctness” 
of  the  scheme  as  a  separate  property,  but  rather  (some  form  of)  correctness  will  follow  from  our 
homomorphism  properties. 

We  start  by  defining  C-homomorphism,  which  is  homomorphism  with  respect  to  a  specified  class 
C  of  functions.  This  notion  is  sometimes  also  referred  to  as  “somewhat  homomorphism”. 

Definition  3.3  (C-homomorphism).  Let  C  =  {CK}KeN  be  a  class  of  functions  (together  with  their 
respective  representations).  A  scheme  HE  is  C -homomorphic  (or,  homomorphic  for  the  class  C)  if 
for  any  sequence  of  functions  fK  £  CK  and  respective  inputs  fj\, . . . ,  m  £  {0, 1}  (where  i  =  £(k) ),  it 
holds  that 

Pr[HE.Decsfc(HE.Evale„fc(/,ci,...,Q))  /  f(pi,  •  •  • ,  He)\  =  negl(rc)  , 
where  (pk,  evk,  sh)<r- HE.Keygen(lK)  and  a*- HE. Er\cpk(pi). 

We  point  out  two  important  properties  that  the  above  definition  does  not  require.  First  of 
all,  we  do  not  require  that  the  ciphertexts  c$  are  decryptable  themselves,  only  that  they  become 
decryptable  after  homomorphic  evaluation.16  Secondly,  we  do  not  require  that  the  output  of  HE.Eval 
can  undergo  additional  homomorphic  evaluation.1' 

Before  we  define  full  homomorphism,  let  us  define  the  notion  of  compactness. 

Definition  3.4  (compactness).  A  homomorphic  scheme  HE  is  compact  if  there  exists  a  polynomial 
s  =  s(k)  such  that  the  output  length  of  HE.Eval(-  •  • )  is  at  most  s  bits  long  (regardless  of  f  or  the 
number  of  inputs). 

Note  that  a  C-homomorphic  scheme  is  not  necessarily  compact. 

We  give  the  minimal  definition  of  fully  homomorphic  encryption,  which  suffices  for  most  appli¬ 
cations. 

Definition  3.5  (fully  homomorphic  encryption).  A  scheme  HE  is  fully  homomorphic  if  it  is  both 
compact  and  homomorphic  for  the  class  of  all  arithmetic  circuits  over  GF( 2). 

As  in  the  definition  of  C  homomorphism,  one  can  require  that  the  outputs  of  HE.Eval  can  again 
be  used  as  inputs  for  homomorphic  evaluation  (“multi- hop  homomorphism”).  Indeed,  all  known 
schemes  have  this  additional  property.  However,  due  to  the  complexity  of  the  formal  definition  in 
this  case,  we  refrain  from  describing  a  formal  definition. 

An  important  relaxation  of  fully  homomorphic  encryption  is  the  following. 

Definition  3.6  (leveled  fully  homomorphic  encryption).  A  leveled  fully  homomorphic  encryp¬ 
tion  scheme  is  a  homomorphic  scheme  where  the  HE. Keygen  gets  an  additional  input  1L  (now 
(pk,evk,  sk)<—  HE.Keygen(lK,  1L))  and  the  resulting  scheme  is  homomorphic  for  all  depth-L  binary 
arithmetic  circuits.  The  bound  s(k)  on  the  ciphertext  length  must  remain  independent  of  L. 

In  most  cases,  the  only  parameter  of  the  scheme  that  becomes  dependent  on  L  is  the  bit-length 
of  the  evaluation  key  evk. 

16 Jumping  ahead,  while  this  may  seem  strange  at  first,  this  notion  of  somewhat  homomorphism  is  all  that  is  really 
required  in  order  to  bootstrap  into  full  homomorphism  and  it  also  makes  our  schemes  easier  to  describe.  Lastly,  note 
that  one  can  always  perform  a  “blank”  homomorphic  operation  and  then  decrypt,  so  functionality  is  not  hurt. 

17This  is  termed  “1-hop  homomorphism”  in  [GHVlOa]. 
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3.2  Gentry’s  Bootstrapping  Technique 

In  this  section  we  formally  define  the  notion  of  a  bootstrappable  encryption  scheme  and  present 
Gentry’s  bootstrapping  theorem  [Gen09b,  Gen09a]  which  implies  that  a  bootstrappable  scheme  can 
be  converted  into  a  fully  homomorphic  one. 

Definition  3.7  (bootstrappable  encryption  scheme).  Let  HE  be  C -homomorphic,  and  Let  /a dd  and 
/mult  be  the  the  augmented  decryption  functions  of  the  scheme  defined  as 

/adf(s)  =  HE.Decs(ci)  XOR  HE.Decs(c2)  and  f^(s)  =  HE.Decs(ci)  AND  HE.Decs(c2)  . 
Then  £  is  bootstrappable  if 

f  fC\,C2  fCi,C2\  f-  n 

l  •'add  ’•'mult  Jci,C2  ~ 

Namely,  the  scheme  can  homomorphically  evaluate  /add  and  /muit- 

We  describe  two  variants  of  Gentry’s  bootstrapping  theorem.  The  first  implies  leveled  fully 
homomorphic  encryption  but  requires  no  additional  assumption;  where  the  second  makes  an  ad¬ 
ditional  (weak)  circular  security  assumption  and  achieves  the  stronger  (non- leveled)  variant  of 
Definition  3.5. 

The  first  variant  follows. 

Theorem  3.1  ([Gen09b,  Gen09a]).  Let  HE  be  a  bootstrappable  scheme,  then  there  exists  a  leveled 
fully  homomorphic  encryption  scheme  as  per  Definition  3.6. 

Specifically,  the  leveled  homomorphic  scheme  is  such  that  only  the  length  of  the  evaluation  key 
depends  on  the  level  L.  All  other  parameters  of  the  scheme  are  distributed  identically  regardless 
of  the  value  of  L. 

For  the  second  variant,  we  need  to  define  circular  security. 

Definition  3.8  (weak  circular  security).  A  public  key  encryption  scheme  (Gen,  Enc,  Dec)  is  weakly 
circular  secure  if  it  is  IND-CPA  secure  even  for  an  adversary  with  auxiliary  information  containing 
encryptions  of  all  secret  key  bits:  {Encpfc(s/c[i])}i. 

Namely,  no  polynomial  time  adversary  can  distinguish  an  encryption  of  0  from  an  encryption 
of  1  even  given  the  additional  information. 

We  can  now  state  the  second  theorem. 

Theorem  3.2  ([Gen09b,  Gen09a]).  Let  HE  be  a  bootstrappable  scheme  that  is  also  weakly  circular 
secure.  Then  there  is  a  fully  homomorphic  encryption  scheme  as  per  Definition  3.5. 

Finally,  we  want  to  make  a  statement  regarding  the  ciphertext  length  of  a  bootstrapped  scheme. 
The  following  is  implicit  in  [Gen09b,  Gen09a]. 

Lemma  3.3.  If  a  scheme  FH  is  obtained  from  applying  either  Theorem  3.1  or  Theorem  3.2  to  a 
bootstrappable  scheme  HE,  then  both  FH.Enc  and  FH.Eval  produce  ciphertexts  of  the  same  length  as 
HE.Eval  (regardless  of  the  length  of  the  ciphertext  produced  by  HE. Enc). 
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4  The  New  Fully  Homomorphic  Encryption  Scheme 


In  this  section,  we  present  our  fully  homomorphic  encryption  scheme  and  analyze  its  security  and 
performance.  We  present  our  scheme  in  a  gradual  manner.  First,  in  Section  4.1  we  present  an  LWE- 
based  somewhat  homomorphic  scheme,  SH,  that  will  serve  as  building  block  for  our  construction 
(that  scheme  by  itself  is  not  sufficient  to  achieve  full  homomorphism) .  The  main  technique  used  here 
is  re-linearization.  Our  bootstrappable  scheme,  BTS,  which  utilizes  dimension- modulus  reduction, 
is  presented  in  Section  4.2.  We  then  turn  to  analyze  the  properties  of  BTS.  In  Section  4.3  we  prove 
the  security  of  the  scheme  based  on  LWE  and  discuss  the  worst  case  hardness  that  is  implied  by 
known  reductions.  In  Section  4.4  we  analyze  the  homomorphic  properties  of  SH  and  BTS  which 
enables  us  to  prove  (in  Section  4.5)  that  the  bootstrapping  theorem  is  indeed  applicable  to  BTS,  and 
obtain  a  fully  homomorphic  scheme  based  on  LWE.  We  then  discuss  the  parameters  and  efficiency 
of  our  scheme. 

4.1  The  Scheme  SH:  A  Somewhat  Homomorphic  Encryption  Scheme 

We  present  a  somewhat  homomorphic  public-key  encryption  scheme,  based  on  our  re-linearization 
technique,  whose  message  space  is  GF(2).18  Let  k  G  N  be  the  security  parameter.  The  scheme  is 
parameterized  by  a  dimension  n  G  N,  a  positive  integer  m  G  N,  an  odd  modulus  q  G  N  (note  that 
q  needs  not  be  prime)  and  a  noise  distribution  y  over  Zg,  all  of  which  are  inherited  from  the  LWE 
assumption  we  use.  An  additional  parameter  of  the  scheme  is  a  number  L  G  N  which  is  an  upper 
bound  on  the  maximal  multiplicative  depth  that  the  scheme  can  homomorphically  evaluate. 

During  the  exposition  of  the  scheme,  we  invite  the  reader  to  keep  the  following  range  of  pa¬ 
rameters  in  mind:  the  dimension  n  is  polynomial  in  the  security  parameter  k,  m  >  n  log  q  +  2k  is 
a  polynomial  in  n ,  the  modulus  is  an  odd  number  q  G  [2ne,2  •  2n£)  is  sub-exponential  in  n  (where 
e  £  (0,1)  is  some  constant),  y  is  some  noise  distribution  that  produces  small  samples  (say,  of 
magnitude  at  most  n)  in  Zg,  and  the  depth  bound  is  L  «  elogn. 

•  Key  generation  S H. Keygen (1K):  For  key  generation,  sample  L  +  1  vectors  so, . . . ,  s l  Z” ,  and 

compute,  for  all  l  G  [L\,  0  <  i  <  j  <  n,  and  r  G  {0, . . . ,  |_l°g(/J}>  the  value 

1p£,i,j,r  ■ —  ^&£,i,j,r  i  ® £ )  T  2  ■  C£,i,j,r  T  2  ■  S£_i[?']  •  G  Z ^  X  Z q  ,  (1) 

where  2L£,ij,T  G-  y  (recall  that,  according  to  our  notational  convention,  s^_![0]  =  1). 

We  define  T  =  to  be  the  set  of  all  these  values.19  At  this  point,  it  may  not  yet  be 

clear  what  the  purpose  of  the  2T  factors  is;  indeed,  this  will  be  explained  later  when  we  explain 
homomorphic  multiplication. 

The  key-generation  algorithm  proceeds  to  choose  a  uniformly  random  matrix  A  G-  Z ™xn  and  a 
vector  e  ■<—  ym,  and  compute  b:=Aso  +  2e. 

It  then  outputs  the  secret  key  sk  =  s^,  the  evaluation  key  evk  =  T,  and  the  public  key 
pk  =  (A,  b).20 

18It  is  quite  straightforward  to  generalize  the  scheme  to  work  over  a  message  space  GF(f),  where  t  is  relatively 
prime  to  q.  Since  we  mostly  care  about  the  binary  case,  we  choose  not  to  present  this  generalization. 

19A  knowledgeable  reader  may  notice  that  the  above  is  similar  to  encryptions  of  2T  •  sr-i[i]  •  sr_i[j]  (mod  q)  via 
an  LWE-based  scheme,  except  this  “ciphertext”  is  not  decryptable  since  the  “message”  is  not  a  single  bit  value. 

20The  public,  key  pk  is  essentially  identical  to  the  public  key  in  Rcgev’s  scheme. 
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•  Encryption  SH.Encpfc(^):  Recall  that  pk  =  (A,  b).  To  encrypt  a  message  p  E  GF(2),  sample  a 
vector  r  {0,  l}m  and  set  (just  like  in  Regev’s  scheme) 

v:=A2  r  and  w:= h1  r  +  p  . 

The  output  ciphertext  contains  the  pair  (v,w),  in  addition  to  a  “level  tag”  which  is  used  during 
homomorphic  evaluation  and  indicates  the  “multiplicative  depth”  where  the  ciphertext  has  been 
generating.  For  freshly  encrypted  ciphertext,  therefore,  the  level  tag  is  zero.  Formally,  the 
encryption  algorithm  outputs  c:=((v,  w),  0). 

•  Homomorphic  evaluation  SH.Evale?;fc(/,  ci, . . . ,  c*)  where  /  :  {0,1}*  — >  {0,1}:  We  require  that 
/  is  represented  by  a  binary  arithmetic  circuit  with  ’+’  gates  of  arbitrary  fan-in  and  ’x’  gates 
with  fan-in  2.  We  further  require  that  the  circuit  is  layered ,  namely  that  it  is  composed  of 
homogenous  layers  of  either  all  ’+’  gates  or  all  ’x’  gates  (it  is  easy  to  see  that  any  arithmetic 
circuit  can  be  converted  to  this  form).  Lastly,  we  require  that  the  multiplicative  depth  of  the 
circuit  (the  total  number  of  ‘x‘  layers)  is  exactly  L.  21 

We  homomorphically  evaluate  the  circuit  /  gate  by  gate.  Namely,  we  will  show  how  to  perform 
homomorphic  addition  (of  arbitrarily  many  ciphertexts)  and  homomorphic  multiplication  (of 
two  ciphertexts).  Combining  the  two,  we  will  be  able  to  evaluate  any  such  function  /. 


Ciphertext  structure  during  evaluation.  During  the  homomorphic  evaluation,  we  will 
generate  ciphertexts  of  the  form  c  =  ((v,  w),£),  where  the  tag  £  indicates  the  multiplicative  level 
at  which  the  ciphertext  has  been  generated  (hence  fresh  ciphertexts  are  tagged  with  0).  The 
requirement  that  /  is  layered  will  make  sure  that  throughout  the  homomorphic  evaluation  all 
inputs  to  a  gate  have  the  same  tag.  In  addition,  we  will  keep  the  invariant  that  the  output  of 
each  gate  evaluation  c  =  ((v,  w),£),  is  such  that 

w  —  (v,  s^)  =  p  +  2  •  e  (mod  q )  ,  (2) 

where  p  is  the  correct  plaintext  output  of  the  gate,  and  e  is  a  noise  term  that  depends  on 
the  gate’s  input  ciphertexts.  Note  that  it  always  holds  that  £  <  L  due  to  the  bound  on  the 
multiplicative  depth,  and  that  the  output  of  the  homomorphic  evaluation  of  the  entire  circuit  is 
expected  to  have  £  =  L. 


Homomorphic  evaluation  of  gates: 

—  Addition  gates.  Homomorphic  evaluation  of  a  ’+’  gate  on  inputs  ci , . . . ,  q,  where  c* 
((vj,  Wi),  £),  is  performed  by  outputting 

Cadd  =  ((vadd,^add),^):=  • 

Informally,  one  can  see  that 

W’add  -  (Vadd,  Se)  =  ~  (vo  s  £))  =  ^( Pi  +  2e*)  =  5>  +  2£*  , 

i  i  i  i 

!1  Jumping  ahead,  in  the  analysis  we  will  only  prove  correctness  for  a  specific  sub-class  of  these  circuits. 
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where  /v,;  is  the  plaintext  corresponding  to  .  The  output  of  the  homomorphic  evaluation, 
thus,  corresponds  to  the  sum  of  the  inputs,  with  the  noise  term  being  the  sum  of  input  noises. 

—  Multiplication  gates.  We  show  how  to  multiply  ciphertexts  c,  c!  where  c  =  ((v,w),£)  and 
d  =  ((V,  (recall  that  multiplication  gates  have  fan-in  2),  to  obtain  an  output  ciphertext 

cmuit  =  ((vmuit>  wmuit)) ^  +  1)-  Note  that  the  level  tag  increases  by  1. 

We  first  consider  an  n-variate  symbolic  polynomial  over  the  unknown  vector  x: 

<?HX)  =  v),(V,v')(x)  =  {w-  (v,x))  •  (w'  -  (v',x))  .  (3) 

We  symbolically  open  the  parenthesis  of  this  quadratic  polynomial,  and  express  it  as 

</>(x)  =  Y  hi’i  '  '  Xb1  ’ 

0<i<j<n 


where  h,j  £  7Lq  are  known  (we  can  compute  them  from  (v,  w),  (v',  w')  by  opening  parenthesis 
in  Eq.  (3)). 22 

For  technical  reasons  (related  to  keeping  the  error  growth  under  control),  we  want  to  express 
</>(•)  as  a  polynomial  with  small  coefficients.  We  consider  the  binary  representation  of  hij, 
letting  be  the  rth  bit  in  this  representation.  In  other  words 


for  hitjjT  £  {0, 1}. 

We  can  express  4>  therefore  as 


hi:j  — 


U°g  q\ 

-  E 

T  — 0 


h 


l,],T 


</>(x)  =  Y  hi’M  ■  (2T  •  xW  ■  x[-?i)  -23 

0<i<j<n 

re{0,...,Llog(jJ} 


We  recall  that  the  evaluation  key  evk  =  T  contains  elements  of  the  form  'ipd.i.j.r  =  (at,i,j,T  5  be,i,j,T) 
such  that 

2  ~  b^jr\  i  j  T  ( 3-^+1, >  Sf+l)  • 

The  homomorphic  multiplication  algorithm  will  thus  set 


vmult:  — 


E 


0<i<j<n 

re{0,...,Llog,}J} 


and 


w  mult  = 


E 


be+ 


1  j 


re{0,...,Llog(jJ} 


22We  once  again  remind  the  reader  that  because  of  the  notational  trick  of  setting  x[0]  =  1,  this  expression  captures 
the  constant  term  in  the  product,  as  well  as  all  the  linear  terms,  thus  homogenizing  the  polynomial  0(x). 

23This  can  be  interpreted  as  a  polynomial  with  small  coefficients  whose  variables  are  (2T  ■  x[i]  •  x[j]). 
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The  final  output  ciphertext  will  be 


Cmult'  —  (('Vmulti  ^mult)>  ^  T  1)  • 


Note  that  the  level  tag  is  increased  by  one  as  expected.  Let  us  now  verify  that  our  invariant 
as  per  Eq.  2  still  holds  for  the  new  ciphertext: 


^mult  (Vmult>  ®£+l)  —  ^  '  h itjtr  '  ipt+\,i,j,T  S^+l)) 


0<i<j<n 
rG{0,...,  [log  q\  } 


^  ^  hi,j,T  2  S^[i]  S^[j]  +  2  •  hij,T  • 


0<i<j<n 

rG{0,...,[log^J} 


“I-  ^  ^  2  •  hij^r  • 


0<i<j<n 

re{0,...,Llog<jJ} 


(w  -  (v,  se))  ■  ( w '  -  {v1,  s£))  +  ^  2  •  hi)j)T  ■  em 


h3,T 


re{0,...,LloggJ} 


(/i  +  2e)(/i  +  2e')  +  E  2  *  hi,j,r  * 


0<i<,7<n 
rG{0,...,[log  <?J} 


/ 


—  pp  +  2 


/re'  +  pe  +  2ee/  +  E 


V 


re{0,...,LlogqJ} 


(4) 


Indeed,  we  get  the  plaintext  output  pp'  in  addition  to  a  noise  term  that  is  inherited  from  the 
input  ciphertexts  and  from  the  evaluation  key. 

•  Decryption  SH.DecSi(c):  To  decrypt  a  ciphertext  c  =  ((v,  w),  L)  (recall  that  we  are  only  required 
to  decrypt  ciphertexts  that  are  output  by  SH.Eval(-  •  • )  and  those  will  always  have  level  tag  L ), 
compute 


(w  —  (v,s^)  (mod  q ))  (mod  2)  .  (5) 

4.2  The  Scheme  BTS:  A  Bootstrappable  Scheme 

We  now  utilize  the  dimension-modulus  reduction  technique  to  present  the  scheme  BTS,  which  uses 
SH  as  building  block  and  inherits  its  homomorphic  properties.  However,  BTS  has  much  shorter 
ciphertexts  and  lower  decryption  complexity,  which  will  enable  us  to  apply  the  bootstrapping 
theorem  to  obtain  full  homomorphism. 

Our  bootstrappable  scheme  is  parameterized  by  (n,  m ,  q ,  x,  L),  which  are  the  parameters  for  SH, 
and  additional  parameters  (k,p,x)  which  are  the  “smaller”  parameters,  n,  q  €  N  are  referred  to  as 
the  “long”  dimension  and  modulus  respectively,  while  k,p  are  the  “short”  dimension  and  modulus. 
X,  X  are  the  long  and  short  noise  distributions,  over  Zg  and  Zp,  respectively.  The  parameter 
is  used  towards  public  key  generation.  The  parameter  L  is  an  upper  bound  on  the  multiplicative 
depth  of  the  evaluated  function. 
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While  we  discuss  parameter  values  below,  we  encourage  the  reader  to  consider  the  following 
on-optimal,  but  easier  to  understand)  settings  as  a  running  example:  k  =  n,  n  =  kA,  q  «  2v/™, 
=  l/31ogn  =  4/31og&:,  p  =  ( n2\ogq )  •  poly(/c)  =  poly(fc),  m  =  0(n logq).  The  distributions  x,X 
n  be  thought  of  as  being  n-  and  /^-bounded,  respectively. 

•  Key  generation  BTS.Keygen(lK):  Run  SH.Keygen(lK)  to  obtain  the  secret  key  s l,  evaluation 
key  ’P  and  public  key  (A,b)  of  SH. 

Recall  that  sL  G  Z£,  (A,b)  G  Z™xn  x  Z™,  and  T  G  (Z£  x  (ri+1)2’( Llog 9j +1)'Z/ • 

Proceed  by  sampling  the  “short”  secret  key  s  G-  Z£  and  computing  additional  parameters 

for  the  evaluation  key:  For  all  i  G  [n],  r  G  {0, . . . ,  |_loggJ},  sample  a jiT  G-  Z^,  e,jT  G-  y,  and 
compute 

—  s)  +  ej,r  + 

Set  V>i,T:=  ^a*iT,6iiT^  G  Z^  X  Zp,  and 

{V’i,r}ie[n],re{0,...,LlogqJ}  • 


-  •  (2T 
q 


sl[*]) 


(mod  p )  . 


This  is  very  similar  to  the  generation  of  VP  in  the  scheme  SH,  but  now  “encodes”  scaled 
linear  terms,  rather  than  quadratic  terms. 

Finally,  output  the  secret  key  sk  =  s,  evaluation  key  evk  =  (*P,  \P)  and  public  key  pk  =  (A,  b). 
Note  that  the  public  key  is  identical  to  that  of  SH. 

•  Encryption  BTS.Encpfc(^):  Use  the  same  encryption  algorithm  as  SH.  To  encrypt  a  bit 
p  G  {0, 1},  compute  c-(— SH.EnC(A  b)(/u)  and  output  c  as  the  ciphertext. 

•  Homomorphic  evaluation  BTS.Evale„fe(/,  ci, . . . ,  c*),  where  /  :  {0,1}*  — >  {0,1}:  Recall  that 
evk  =  (\P,  T).  To  perform  homomorphic  evaluation,  we  will  use  the  homomorphic  evaluation 
function  of  SH.  We  thus  require  that  /  is  represented  by  a  binary  arithmetic  circuit  which  is 
a  legal  input  for  SH.Eval. 

The  first  step  in  the  homomorphic  evaluation  is  computing 

c/-(— SH.Eval^ (/,  ci, . . .  ,ct)  . 

This  results  in  a  ciphertext  of  the  form  Cf  =  ((v,  w),  L)  G  Z”  x  7Lq  x  {L}. 

Next,  we  reduce  the  dimension  and  modulus  of  Cf  to  k,p  as  follows.  Consider  the  following 
function  from  Z"  into  the  rationals  modulo  p 

<Kx)  =  4>v,w (x)  =  ^  ■  (w  ~  (v>  x))^)  (mod  P )  • 

Rearranging,  one  can  find  ho, ...  ,hn  G  Zg  such  that 

n 

<Kx)  =  x[*D  (mod  p)  , 

1=0  q 
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Let  hiiT  be  the  rth  bit  of  hi,  for  all  t  G  {0, . . . ,  [log <7] } .  Then 

n  Llog  q\ 

<KX)  =  E  E  hi’T  •  (-  •  2r  •  x[i])  . 

i= 0  t— 0  ^ 


Using  the  parameters  in  4r,  we  create  a  new  ciphertext  c  =  (v,  w)  G  Z^  x  Zp  by  setting 

n  L^g  gj 

v  :=  2  •  ^2  X!  hi>T  '  a*,r  (m°d  p)  <E  ^p 

i=0  r=0 
n  Llog  gj 

w  :=  2  •  EE  hiiT  ■  bijT  (mod  p)  G  Zp  . 

2=0  r=0 

The  output  of  BTS.Eval  is  the  new  ciphertext  c  6  Zj'  x  Zp.  Note  that  the  bit-length  of  c  is 
(fc  +  1)  logp. 


Recall  the  invariant  we  enforce  on  the  structure  of  ciphertexts  of  SH  (see  Eq.  2).  We  show 
that  a  similar  invariant  holds  for  c:  Namely,  that  if  Cf  is  such  that  w  —  (v,  s l)  =  p  +  2e 
(mod  q ),  then 

w  —  (v,  s)  =  p  +  2e  (mod  p)  , 

where  e  is  proportional  to  (an  appropriately  scaled  version  of  e)  plus  some  additional  noise. 
To  see  the  above,  recall  that  (p  +  l)/2  is  the  inverse  of  2  modulo  p,  and  notice  that24 


p  +  1 


Llog  q\ 


(w  -  ( v ,  s) )  =  ^2  hi,T  ■  ( bi,T  ~  (aiiT,s)J  (mod  p) 


where  we  define 


2=0  r=0 
n  Ll°g  q\ 


^  ^  ^  ^  hi,T  (  ^2,T  + 


2=0  T=0 


|  -  (2-  -  St[i]) 


(mod  p) 


n  Llog  gj 

<KS  l)  +  EE  hi>T  (ei)T  +  a)j,r)  (mod  p) 

2=0  T=0 


bJi.T  — 


rT  ■«[*])  -T  (2"  •«[«])> 


»  <5i 


P 


Q 


(6) 


and  notice  that  |d)j)T|  <  1/2.  Since  hl)T  G  {0,1}  and  ej)T  is  small,  <5i  (defined  in  Eq.  (6))  is 
“small”  as  well. 


24While  the  following  sequence  of  derivations  might  seem  like  an  indirect  way  to  prove  what  we  need,  the  way  we 
choose  to  do  it  will  be  useful  later. 
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Now,  letting  w  =  (v, s l)  +  2e  +  p  (mod  q),  we  wish  to  examine  <f>(s l)  —  0(v,+)(sl)  more 
closely,  as  follows. 


<Msl)  —  ~  '  {^~2~  '  (w  ~  (vi  si)))  (mod  p) 

=  \'  \  1  •  (2e  +  p  +  Mq)^j  (mod  p) 

=  -  •  ^  - p  +  e  +  (mod  p) 

=  -  • - n  H —  •  e  (mod  p) 

q  2  q 

P+1  ,  (P  P  i  P  (  a  \ 

=  — •/i+(--l)--  +  --e  (mod  p) 

" - V“ - ' 

— + 


P  +  1 
2 


•  At  +  52 


(where  M  G  Z) 


(where  M'  =  M  +  e  G  Z) 


(7) 


and  notice  that  if  p  <  q  (as  is  the  case  in  our  setting),  | <?2 1  <  |  |e|  + 

Putting  together  Eq.  (6)  and  (7),  we  see  that 

E±±ia>-<v,s))  =  E±±.p  +  (61  +  s2) .  (8) 

Multiplying  by  2,  we  have 

w  -  (v,  s)  =  p  +  2((5i  +  <52)  •  (9) 

Now  defining  e  =  5\  +  <^2,  the  invariant  follows. 

It  is  important  to  notice  that,  while  not  immediate  from  its  definition,  e  =  5\  +  S2  is  an 
integer.  To  see  this,  note  that  it  can  be  represented  as  a  difference  between  integers: 

<*i  +  <*2  =  — -  (v,  s)) - —  •  p  . 


•  Decryption  BTS.Dec^(c):  To  decrypt  c  =  (v,  rc)  G  Zj  x  Zp  (recall,  again,  that  we  only  need 
to  decrypt  ciphertexts  that  are  output  by  BTS.Eval),  compute 

p*:=  (w  —  (v,  s)  (mod  p))  (mod  2)  . 

If  indeed  w  —  (v,  s)  =  p  +  2e  (mod  p)  then  p*  =  p  so  long  as  e  is  small  enough. 

4.3  Security  Analysis 

In  this  section,  we  analyze  the  security  of  BTS  based  on  LWE  and  then,  using  known  connections, 
based  on  worst  case  hardness  of  lattice  problems. 

The  following  theorem  asserts  the  security  of  BTS  based  on  two  DLWE  problems:  One  with 
modulus  q,  dimension  n  and  noise  y,  and  one  with  modulus  p,  dimension  k  and  noise  y. 

20 


Approved  for  Public  Release;  Distribution  Unlimited. 

47 


Theorem  4.1  (security).  Let  n  =  n(n),  k  =  k(n),  q  =  q(n),p  =  p{n)  and  L  =  L(k)  be  functions  of 
the  security  parameter.  Let  x,  X  be  some  distributions  over  the  integers,  and  define  m  =  n  log  q+2n. 

The  scheme  BTS  is  CPA  secure  under  the  DLWErai(?iX  and  the  DLWEfciP)X  assumptions.  In 
particular,  if  both  the  DLWE„i9jX  and  the  DLWE^p^  problems  are  (t,e)-hard,  then  the  scheme  is 
(t  —  poly(fv),  2 (L  +  1)  •  (2_K  +  e))- semantically  secure. 

Essentially,  the  view  of  a  CPA  adversary  for  our  scheme  is  very  similar  to  Regev’s  scheme,  with 
the  exception  that  our  adversary  also  gets  to  see  the  evaluation  key.  However,  the  evaluation  key 
contains  a  sequence  of  LWE  instances  which,  based  on  our  assumption,  are  indistinguishable  from 
uniform.  Therefore  our  reduction  will  perform  a  sequence  of  L  hybrids  to  replace  the  component 
of  the  evaluation  key  with  a  set  of  completely  uniform  elements.  Then,  an  additional  hybrid  will 
imply  the  same  for  4'.  Once  this  is  done,  we  will  use  the  known  proof  techniques  from  Regev’s 
scheme  and  get  the  security  of  our  scheme.  A  formal  proof  follows. 

Proof.  As  explained  above,  we  prove  by  a  sequence  of  hybrids.  Let  A  be  an  IND-CPA  adversary 
for  BTS  that  runs  in  time  t.  We  consider  a  series  of  hybrids  where  Adv#[A]  denotes  the  success 
probability  of  A  in  hybrid  H. 

•  Hybrid  Hl+i •  This  is  the  identical  to  the  IND-CPA  game,  where  the  adversary  gets  prop¬ 
erly  distributed  keys  pk,evk,  generated  by  BTS. Keygen,  and  an  encryption  of  either  0  or  1 
computed  using  BTS.Enc.  By  definition, 

Adv^+JA]  =  |  Pr[A(pk,  SH.EnCpfc(^o)  =  1]  -  Pr[A(pk,  SH.Encpfc(/zi)  =  1]|  =  6  . 


•  Hybrid  Hl+i'  This  hybrid  is  identical  to  Hl+ l  in  everything  except  the  generation  of  T. 
In  this  hybrid,  'L  is  not  generated  as  prescribed,  but  is  rather  sampled  uniformly.  Namely, 
for  all  i,r  we  set  ^jT  -e-  X  Zp. 

It  follows  that  there  exists  an  adversary  B  that  solves  the  DLWEfcjPiX  problem  in  time  t  + 
poly(fv)  and  advantage 


DLWEfcjP)XAdv[H]  >  1/2  •  Adv^+j  [A]  -  AdvHe+l  [A] 


The  adversary  B  will  sample  all  vectors  So, . . . ,  by  himself  and  generate  pk,A>.  Then,  he  will 
use  the  LWE  oracle  to  obtain  either  Ag)X  samples  which  will  result  in  properly  generated  T, 
or  uniform  samples  which  will  result  in  a  uniform  'L.  B  will  then  sample  a  uniform  b  <—  {0, 1} 
and  return  1  if  and  only  if  A(pk,  (41,  T),  BTS.Encpfc(6))  =  b.  Using  simple  algebra,  the  result 
follows. 

•  Hybrid  Hi,  for  I  £  \L\:  Hybrid  Hi  is  identical  to  H(+ 1,  except  for  a  change  in  the  'T 
component  of  the  evaluation  key.  Specifically,  we  change  each  of  the  components  ipe,i,j,T  f°r 
all  i,j,r :  Instead  of  computing  as  prescribed  (i.e.,  (ag,;jiT,  (agjj]T,  s^)  +  2eggyr  +  2r  • 

S£_i[i]  •  s^_i [/])),  we  sample  it  uniformly.  Namely,  we  set  Z”  x  7Lq. 

It  follows  that  there  exists  an  adversary  Bi  that  solves  the  DLWEnjq)X  problem  in  time  t  + 
poly(«)  and  advantage 

DLWE„j(?>xAdv[H,]  =  1/2  •  |Adv^[A]  -  Adv^,+1[A]|  . 
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The  argument  is  very  similar  to  the  previous  hybrid:  We  note  that  at  this  point  T  and 
are  completely  uniform  and  can  be  generated  without  any  knowledge  of 
. . . ,  si,,  s.  The  adversary  B(  will  sample  all  vectors  so,  •  •  • ,  s^_i  himself,  and  turn  to  the 
LWE  oracle  for  samples  in  order  to  generate  This  will  result  in  'k  being  identical 

to  Hjt+ 1  if  the  oracle  returns  AS;X  samples,  or  T  being  identical  to  H \  if  the  oracle  returns 
uniform  elements.  Once  again,  sampling  a  random  b  and  checking  whether  A’s  response  is 
identical  to  B  completes  the  argument. 

Note  that  in  the  hybrid  H\,  the  evaluation  key  evk  =  (T,  T)  is  completely  uniform,  and  hence 
the  view  of  the  adversary  is  like  in  Regev’s  scheme. 

•  Hybrid  Hq:  Hybrid  Hq  is  identical  to  H\  except  that  the  vector  b  in  the  public  key  is 
chosen  uniformly  at  random  from  Z™,  rather  than  being  computed  as  A  ■  So  +  2e.  Under 
the  DLWEjj^y  assumption,  hybrids  Hq  and  H±  are  indistinguishable.  Namely,  there  exists  an 
adversary  Bo  that  runs  in  time  t  +  poly(fv)  and  whose  advantage  is 

DLWEn,,)XAdv[B0]  =  1/2  •  |AdvHl[.A]  -  AdVi?0[A]|  . 

The  adversary  Bo  gets  m  samples  from  the  LWE  oracle  and  uses  them  to  generate  (A,  b).  If 
the  samples  come  from  AS]X,  then  b  is  distributed  like  in  H\  and  if  they  are  uniform  then  b 
is  distributed  as  in  Ho-  The  same  testing  of  A  as  before  implies  the  argument. 

•  Hybrid  Hranc p  Hybrid  Wranci  is  identical  to  Ho  except  that  the  ciphertext  is  chosen  uniformly 
at  random  from  Z”  x  Zg,  rather  than  being  computed  as  (A1  ■  r,  bT  •  r  +  p). 

We  now  claim  that 

|Adv#0[A]  -  Adv//rand  [A]  |  <  2"K  . 

This  is  due  to  the  Leftover  hash  lemma  (Lemma  2.1),  since  m  >  (n  +  1)  logq  +  2k. 

Note  that  in  Hranc j,  all  the  elements  of  both  the  public  key  and  the  ciphertext  are  uniformly  random 
and  independent  of  the  message.  Thus, 


AdvHrsJA\  =  0  . 


Putting  these  together,  we  get  that 


AdvCPA [A]  <  2"K  +  2  •  DLWEfc;P)XAdv[H]  +  V  DL\NEn^xAdv[Be] 


e=o 


and  the  result  follows.  □ 

Specific  Parameters  and  Worst-Case  Hardness.  The  parameters  we  require  for  homomor¬ 
phism  (see  Theorem  4.2  below)  are  as  follows.  We  require  that  q  =  2nC  for  some  e  £  (0, 1),  x  is 
n-bounded,  p  =  l6nklog(2q)  and  x  is  ^-bounded.  In  order  to  achieve  the  best  lattice  reduction, 
we  will  choose  q  as  a  product  of  polynomially  bounded  co-prime  numbers.  Applying  known  results 
(see  Corollary  2.2),  DLWEngx  translates  into  approximating  short-vector  problems  in  worst  case 
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n-dimensional  lattices  to  within  a  factor  of  O  (\/n  •  2nC),  while  DLWEfe)Pi^  translates  to  approximat¬ 
ing  ^-dimensional  lattice  problems  to  within  O  •  /A5)  factor.25  These  problems  are  essentially 
incomparable  as  the  hardness  of  the  problem  increases  as  the  dimension  increases  on  one  hand,  but 
decreases  as  the  approximation  factor  increases  on  the  other.  The  best  known  algorithms  solve  the 
first  problem  in  time  (roughly)  2°(nl  and  the  second  in  time  2°(fc). 

The  relation  between  n  and  k  is  determined  based  on  the  required  homomorphic  properties.  In 
this  work,  we  only  prove  there  there  exists  a  constant  C  such  that  setting  n  =  kc^e  implies  fully 
homomorphic  encryption.  Given  the  value  of  C,  setting  e  ~  1  —  will  make  the  two  problems 
equally  hard  (at  least  based  on  the  current  state  of  the  art). 

4.4  Homomorphic  Properties  of  SH  And  BTS 

In  this  section  we  analyze  the  homomorphic  properties  of  SH  and  BTS.  Both  schemes  have  es¬ 
sentially  the  same  homomorphic  properties  but  BTS  has  the  additional  advantage  of  having  low 
decryption  complexity  (as  analyzed  in  Section  4.5).  Thus,  BTS  would  be  our  main  focus,  and  the 
properties  of  SH  will  follow  as  a  by-product  of  our  analysis. 

We  start  by  formally  defining  the  class  of  functions  for  which  we  prove  homomorphism  and 
proceed  by  stating  the  homomorphic  properties  and  proving  them. 

The  Function  Class  Arith  [L,  T].  In  this  section  we  define  the  function  class  for  which  we  prove 
somewhat  homomorphism  of  our  scheme.  Essentially,  this  is  the  class  of  arithmetic  circuits  over 
GF(2)  with  bounded  fan-in  and  bounded  depth,  with  an  additional  final  “collation”:  a  high  fan-in 
addition  gate  at  the  last  level.  We  require  that  the  circuit  is  structured  in  a  canonical  “layered” 
manner  as  we  describe  below. 

Definition  4.1.  Let  L  =  L(k),T  =  T(k)  be  functions  of  the  security  parameter.  The  class 
Arith  [L,T]  is  the  class  of  arithmetic  circuits  over  GF( 2),  with  {+,  x}  gates,  with  the  following 
structure.  Each  circuit  contains  exactly  2L  +  1  layers  of  gates  (numbered  1, . . .  ,2 L  +  1  starting 
from  the  input  level),  gates  of  layer  i  +  1  are  fed  only  by  gates  of  layer  i.  The  odd  layers  contain 
only  ’+  ’  gates  and  the  even  layers  contain  only  ’x  ’  gates.  The  gates  at  layers  1, ...  ,2 L  have  fan-in 
2,  while  the  final  addition  gate  in  layer  2L  +  1  is  allowed  to  have  fan-in  T. 

We  note  that  Arith[L,T]  conforms  with  the  requirements  on  the  evaluated  function  imposed  by 
SH.Eval  and  BTS.Eval.  Indeed,  the  multiplicative  depth  of  any  circuit  in  Arith [L,T]  is  exactly  L, 
and  hence,  homomorphic  evaluation  is  well  defined  on  any  such  function. 

To  motivate  the  choice  of  this  function  class,  we  first  note  that  any  arithmetic  circuit  of  fan-in 
2  and  depth  D  can  be  trivially  converted  into  a  circuit  in  Arith [D,  l].26  This  will  be  useful  for 
the  purpose  of  bootstrapping.  Jumping  ahead,  the  collation  gate  will  be  useful  for  constructing 
a  private  information  retrieval  protocol,  where  we  will  need  to  evaluate  polynomials  with  a  very 
large  number  of  monomials  and  fairly  low  degree.  The  collation  gate  will  thus  be  used  for  the  final 
aggregation  of  monomials. 

25We  do  not  mention  the  specific  lattice  problem  or  the  specific  type  of  reduction  (quantum  vs.  classical)  since,  as 
one  can  observe  from  Corollary  2.2,  the  approximation  factor  we  get  is  essentially  the  same  for  all  problems,  and  the 
state  of  the  art  is  roughly  the  same  as  well. 

26  One  way  to  do  this  is  to  separate  each  level  of  the  circuit  into  two  levels  -  an  addition  level  and  a  multiplication 
level  -  and  finally,  adding  a  dummy  fan-in-1  addition  gate  at  the  top.  This  gives  us  a  2D  +  1  depth  circuit  with 
alternating  addition  and  multiplication  levels,  or,  in  other  words,  the  transformed  circuit  belongs  to  Arith [D,  1], 
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Our  goal  is  now  to  prove  that  with  the  appropriate  choice  of  parameters,  SH  and  BTS  are  Arith[L,  T]- 
homomorphic. 

Theorem  4.2.  Letn  =  n(n)  >5  be  any  polynomial,  q  >  2”'  >  3  for  some  e  £  (0, 1)  be  odd,  x  be  any 
n-bounded  distribution,  and  rn  =  [n  +  1)  log q  +  2k.  Let  k  =  n,  p  =  16nklog(2q)  (odd)  and  x  be  any 
k-bounded  distribution.  Then  SH  and  BTS  are  both  Arith[L  =  0(elogn),T  =  yq\ -homomorphic . 

Not  surprisingly,  the  homomorphism  class  depends  only  on  n  and  not  on  k.  This  is  because, 
recalling  the  definition  of  BTS.Eval,  the  homomorphism  property  is  inherited  from  SH.Eval.  We  note 
that  it  is  possible  to  further  generalize  the  class  of  circuits  that  we  can  homomorphically  evaluate 
(for  example,  circuits  with  high  multiplicative  depth  but  low  multiplicative  degree),  however  since 
this  is  not  required  for  our  results,  and  since  the  proof  will  use  the  exact  same  tools,  we  choose  not 
to  further  complicate  the  theorem  statement  and  proof. 

To  prove  the  theorem,  we  introduce  a  sequence  of  lemmas  as  follows.  Recall  that  the  encryption 
algorithms  of  both  schemes  are  identical,  and  that  BTS.Eval  first  calls  SH.Eval  on  all  its  inputs.  We 
first  analyze  the  growth  of  the  noise  in  the  execution  of  SH.Eval  in  Lemma  4.3  (which  will  imply 
the  theorem  for  SH),  and  then,  in  Lemma  4.4,  we  complete  the  noise  calculation  of  BTS.Eval,  which 
will  complete  the  proof  of  the  theorem. 

To  track  the  growth  of  the  noise,  we  define,  for  any  ciphertext  c  =  ((v,w),£)  a  noise  measure 
r/(c)  £  Z  as  follows.  We  let  e  £  Z  be  the  smallest  integer  (in  absolute  value)  such  that 

A  +  2e  =  w  -  (v,  s a)  (mod  q)  , 

and  define  77(c)  =  p,  +  2e  (note  that  77(c)  is  defined  over  the  integers,  and  not  modulo  q).  We  note 
that  so  long  as  [77(c) |  <  q/2 ,  the  ciphertext  is  decryptable.  We  can  now  bound  the  error  in  the 
execution  by  bounding  77 (c/)  of  the  output  ciphertext. 

Lemma  4.3.  Let  n  =  n{n)  >5 ,  q  =  q{n)  >  3,  x  be  B-bounded  and  L  =  L{k)  and  let  f  £ 
Arith[L,T],  /  :  {0,1}*  — >  {0,1}  (for  some  t  =  t(n)).  Then  for  any  input  pL\ , . . . , /at  £  {0,1},  if 
we  let  (pk,  evk,  sk)+- SH.Keygen(lK),  Cj«—  BTS.Encpfc(7q)  =  SH.Encpfc(/7j)  and  we  further  let  Cf  = 
((v,  ic),  L)«— SH.Evale„fc(/,  ci, . . . ,  Ci)  be  the  encryption  of  /(/ti, . . . ,  nf),  it  holds  that  with  all  but 
negligible  probability 

\rj(cf)\  <  T  ■  (16nBlogq)2L  . 

Proof.  We  assume  that  all  samples  of  x  (there  are  only  polynomially  many  of  them)  are  indeed  of 
magnitude  at  most  B.  This  happens  with  all  but  exponentially  small  probability.  The  remainder 
of  the  analysis  is  completely  deterministic. 

We  track  the  growth  of  noise  as  the  homomorphic  evaluation  proceeds. 

•  Fresh  ciphertexts.  Our  starting  point  is  level-0  ciphertexts  ((v,tc),0)  that  are  generated 
by  the  encryption  algorithm.  By  definition  of  the  encryption  algorithm  we  have  that 

w  —  (v,  so)  =  r1  •  b  +  n  —  rT  ■  A  •  so  =  /a  +  rT  •  (b  —  Aso)  =  /i  +  2rT  •  e  (mod  q)  . 

Since  [77  +  2rr  •  e|  <  1  +  2 nB,  it  follows  that 

|77(c)  |  <  2nB  +  1  .  (10) 
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•  Homomorphic  addition  gates.  When  evaluating  ’+’  on  ciphertexts  c\,...,ct  to  obtain 
cadd)  we  just  sum  their  (v,w)  values.  Therefore 

|^?(cadd)| 

i 

•  Homomorphic  multiplication  gates.  When  evaluating  ‘x‘  on  c  =  d  = 

((v',w'),£)  to  obtain  cmu|t  =  ((vmu|t,  wmult), £  +  1),  we  get  that  by  Eq.  (4) 

Wmuit  -  (v muit,  S£+i)  =  77(c)  ■  q{d)  +  2  ^  hij,T  ■  eg+1  tijjT  (mod  q)  . 

0<i<j<n 
re{0,...,  [log  q]  } 

It  follows  that 

h(cmult)|  <  1 77(c) |  •  1 77(001  +  2-  ^  +  ^  +  ^  -5(logg  +  l)  . 

If  we  define 

E  =  max  {l^(c)|,|r?(c')|  ,(u  +  2)V-Blog(2g)}  , 

then  |77(cmu|t)|  <  2 E2. 

Let 

Eq  =  max  j2nL>  +  1,  (n  +  2)y/B  log(2g)|  <  2 nB  log  7 

be  an  upper  bound  on  1 77(c)!  of  fresh  ciphertexts. 

Then  it  holds  that  a  bound  on  1 77(c)  |  of  the  outputs  of  layer  2 1  (recall  that  the  even  layers 
contain  multiplication  gates)  is  obtained  by 

E2e  <  2(2£,2(^_i))2  . 

and  therefore,  recursively, 

E-2L  <  ( 8E0)2L  <  (16nB  log  q)2L  . 

And  after  the  final  collation  gate  it  holds  that 

\r](cf)\  <  T  ■  (16nBlogq)2L  .  □ 

We  now  similarly  define  77(c)  for  c  =  (v,  w)  €  ZjS;  x  Zp  that  encrypts  p.  We  let  e  £  Z  be  the 
smallest  integer  (in  absolute  value)  such  that 

p  +  2e  =  w  —  (v,  s)  (mod  p)  , 

and  define  77(c)  =  p  +  2e  (note  that,  as  before,  77  is  defined  over  the  integers,  and  not  modulo  p ). 
So  long  as  1 77(c) |  <  p/2,  BTS.Dec  will  decrypt  c  correctly.  In  the  next  lemma,  we  bound  1 77(c) |  of 
the  output  of  BTS.Eval. 
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Lemma  4.4.  Let  n  =  n(n)  >5 ,  q  =  q(n)  >  3,  x  be  B -bounded  and  L  =  L(n).  Let  p  =  p(n), 
k  =  k{n)  and  x  be  B-bounded.  Consider  a  homomorphic  evaluation  c<—  BTS.Evale„/c(/,  ci, . . . ,  cf) 
and  the  terms  81,82  defined  in  Eq.  (6)  and  (7),  respectively.  Let  Cf  €  Z”  x  Z9  x  {L}  be  the 
intermediate  value  returned  by  the  call  to  SH.Eval.  Then  with  all  but  negligible  probability 

|<*i  +  <fe|  <  Yq  +  2nBlog(2q)  . 


Proof.  We  assume  that  all  samples  from  x  are  indeed  of  magnitude  at  most  B.  This  happens  with 
all  but  exponentially  small  probability. 

By  definition  (recall  that  <5i,  82  have  been  defined  over  the  rationals),  we  have  that 


N 


n  Llog  <?J 

EE  hi,r  (Ci,r 

i=0  t— 0 


<  (n  +  1)  \og[2q){B  +  1/2)  , 


and 


N  = 


< 


[p--i)^  +  p- 
q  2  q 


p  +  2e  n 

2  2 


Yq  l^(c/)l  +  V2 


Adding  the  terms  together,  the  result  follows. 


□ 


We  can  now  finally  prove  Theorem  4.2. 

Proof  of  Theorem  f.2.  Let  us  consider  the  homomorphism  claim  about  BTS  (the  argument  for  SH 
will  follow  as  by-product):  A  sufficient  condition  for  ciphertext  c  =  ( v,w )  to  decrypt  correctly  is 
that  e  <  p/4.  By  Lemma  4.4,  it  is  sufficient  to  prove  that 

P/4  >  Yq  Mc/) I  +2nBlog(2g)  >  \r](cf)\  +p/ 8  . 

Thus  it  is  sufficient  to  prove  that 

\v(cf)\  <  q/ 4  • 

We  note  that  if  we  prove  this,  then  it  also  follows  that  Cf  is  decryptable  and  hence  the  claim  about 
the  homomorphism  of  SH  holds  as  well. 

Plugging  in  the  bound  from  Lemma  4.3,  we  get 

T  ■  ( 16nBlogq)2L  <  q/4  , 


and  plugging  in  all  the  parameters  and  T  =  ^fq,  we  need 

(16n2+e)2L  <  2”e/2/4 

which  clearly  holds  for  some  L  =  f2(elogn).  □ 
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4.5  Bootstrapping  and  Full  Homomorphism 

We  now  show  how  to  apply  Gentry’s  bootstrapping  theorem  (Theorems  3.1,  3.2)  to  achieve  full 
homomorphism.  In  order  to  do  this,  we  first  need  to  bound  the  complexity  of  an  augmented 
decryption  circuit.  Since  our  decryption  is  essentially  a  computation  of  inner  product,  we  bound 
the  complexity  of  this  operation. 

Lemma  4.5.  Let  (v,  w)  6  Z £  x  Zp.  There  exists  an  arithmetic  circuit  with  fan-in  2  gates  and 
0(\ogk  +  loglogp)  depth,  that  on  input  sfZj  (in  binary  representation)  computes 

(w  —  (v,  s)  (mod  p))  (mod  2)  . 

Proof.  We  let  s[i](j)  denote  the  jth  bit  of  the  binary  representation  of  s[i]  6  Zp.  We  notice  that 

k 

w  —  (v,  s)  =  w  —  s[i]v[z]  (mod  p) 
i=  1 

k  LlogpJ 

=  ™  -  X]  ®[®]C7‘)  •  (2j  •  v[i])  (mod  p)  . 

*=i  j=o 

Therefore  computing  w  —  (v,  s)  (mod  p)  is  equivalent  to  summing  up  k(  1  +  (logpj)  +  1  numbers 
in  Zp,  and  then  taking  the  result  modulo  p.  The  summation  (over  the  integers)  can  be  done  in 
depth  0(log  A:  +  log  log p).  In  order  to  take  modulo  p,  one  needs  to  subtract,  in  parallel,  all  possible 
multiples  of  p  (there  are  at  most  0(k\ogp)  options)  and  check  if  the  result  is  in  Zp.  This  requires 
depth  0(\ogk  +  log  log  p)  again.  Then  a  selection  tree  of  depth  Olfogk  +  log  log  p)  is  used  to 
choose  the  correct  result.  Once  this  is  done,  outputting  the  least  significant  bit  implements  the 
final  modulo  2  operation. 

The  total  depth  is  thus  0(log  k  +  log  log p)  as  required.  □ 

We  can  now  apply  the  bootstrapping  theorem  to  obtain  a  fully  homomorphic  scheme. 

Lemma  4.6.  There  exists  CgN  such  that  setting  n  =  kc!e  and  the  rest  of  the  parameters  as  in 
Theorem  f.2,  BTS  is  bootstrappable  as  per  Definition  3.7. 

Proof.  Lemma  4.5  guarantees  that  the  decryption  circuit  is  in  Arith  [0(log  k ),  1]  (note  that  log  log p  = 
o(logfc)),  since  the  augmented  decryption  circuit  just  adds  1  to  the  depth,  it  follows  that  the  aug¬ 
mented  decryption  circuits  are  also  in  Arith [0(log  k),  1]. 

Theorem  4.2,  on  the  other  hand,  guarantees  homomorphism  for  any  Arith[II(elogro),  y Tf\  func¬ 
tion.  Taking  a  large  enough  C ,  it  will  hold  that  Arith [0(log  k)  ,1]  C  Arith  [f2(e  log  n),  y/q\  and  the 
lemma  follows.  □ 

Finally,  we  conclude  that  there  exists  an  LWE  based  fully  homomorphic  encryption  based  on 
Theorem  4.1  and  Lemma  4.6. 

Corollary  4.7.  There  exists  a  leveled  fully  homomorphic  encryption  based  on  the  DLWEnj(jiX  and 
DLWE^p^  assumptions. 

Furthermore,  if  BTS  is  weakly  circular  secure  (see  Definition  3.8),  then  there  exists  a  fully 
homomorphic  encryption  based  on  the  same  assumptions. 
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Efficiency  of  the  Scheme.  Interestingly,  our  scheme  is  comparable  to  non-homomorphic  LWE 
based  schemes  (e.g.  Regev’s)  in  terms  of  encryption,  decryption  and  ciphertext  sizes.  Namely,  so 
long  as  one  doesn’t  use  the  homomorphic  properties  of  the  scheme,  she  does  not  need  to  “pay”  for  it. 
To  see  why  this  is  the  case,  we  observe  that  our  scheme’s  secret  key  has  length  klogp  =  0(k  log  k) 
and  the  ciphertext  length  is  (k  +  1)  logp  =  0(k  log  k).  The  decryption  algorithm  is  essentially  the 
same  as  Regev’s.  As  far  as  encryption  is  concerned,  it  may  seem  more  costly.  The  public  key  as 
we  describe  it  contains  (n  +  l)((n  +  1 )  log q  +  2k)  log q  bits,  and  encryption  requires  performing 
operations  over  7Lq.  However,  we  note  that  one  can  think  of  sampling  a  public  key  (A,b)  where 
A  e-  Z™x  ,  b  =  As  +  2e  £  Z™  (where  m  =  (( k  +  l)logp  +  2k)).  This  will  enable  generating 
short  ciphertexts  that  will  be  “bootstrapped  up”  during  the  homomorphic  evaluation.  If  such  short 
public  key  is  used,  then  encryption  also  becomes  comparable  to  Regev’s  scheme. 

Homomorphic  evaluation  is  where  the  high  price  is  paid,  the  evaluation  key  has  size  0(Ln 2  log2  q+ 
n\ogq\ogp)  =  0(n2+2e).  Considering  the  fact  that  n  =  nc^£,  this  accumulates  to  a  fairly  long  eval¬ 
uation  key,  especially  considering  that  in  a  leveled  scheme,  this  size  increases  linearly  with  the 
depth  of  the  circuit  to  be  evaluated.  The  bright  side,  as  we  mention  above,  is  that  evk  only  needs 
to  be  known  to  the  homomorphic  evaluator  and  is  not  needed  for  encryption  or  decryption. 

Circuit  Privacy.  A  property  that  is  sometimes  desired  in  the  context  of  fully  homomorphic 
encryption  is  circuit  privacy.  A  scheme  is  circuit  private  if  the  output  of  a  homomorphic  evaluation, 
reveals  no  information  on  the  evaluated  function  (other  than  the  output  of  the  function  on  the 
encrypted  message).  Circuit  privacy  for  our  scheme  can  be  achieved  by  adding  additional  noise 
to  the  ciphertext  Cf,  right  before  applying  dimension- modulus  reduction.  Similar  techniques  were 
used  in  previous  schemes  and  thus  we  feel  that  a  more  elaborate  discussion  is  unnecessary  here. 

5  LWE-Based  Private  Information  Retrieval 

In  this  section,  we  present  a  single-server  private  information  retrieval  (PIR)  protocol  with  nearly 
optimal  communication  complexity.  First,  we  present  the  definitions  of  PIR  in  Section  5.1.  Then, 
in  Section  5.2,  we  show  a  generic  construction  of  PIR  from  somewhat  homomorphic  encryption. 
Finally,  in  Section  5.3,  we  instantiate  the  generic  construction  using  our  own  scheme  from  Section  4 
and  analyze  its  parameters. 

5.1  Definitions  of  Single  Server  PIR 

We  define  single  server  private  information  retrieval  in  the  public-key  setting.  In  this  setting,  there 
is  a  public  key  associated  with  the  receiver  (who  holds  the  respective  secret  key).  This  public 
key  is  independent  of  the  query  and  of  the  database,  and  can  be  generated  and  sent  (or  posted) 
before  the  interaction  begins,  and  may  be  used  many  times.  Thus,  the  size  of  the  public  key  is  not 
counted  towards  communication  complexity  of  the  scheme.  We  formalize  this  by  an  efficient  setup 
procedure  that  runs  before  the  protocol  starts  and  generate  this  public  key. 

Letting  k  be  the  security  parameter  and  let  N  e  N  be  the  database  size,  a  PIR  protocol 
PIR  in  the  public-key  setting  is  defined  by  a  tuple  of  polynomial-time  computable  algorithms 
(PIR. Setup,  PIR. Query,  PIR. Response,  PIR. Decode)  as  follows: 

0.  Setup.  The  protocol  begins  in  an  off-line  setup  phase  that  does  not  depend  on  the  index  to 
be  queried  nor  on  the  contents  of  the  database. 
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The  receiver  runs  the  setup  algorithm 

( params ,  seHrp.stafe)e-PIR.Setup(lK)  . 

It  thus  obtains  a  public  set  of  parameters  params  (the  public  key)  that  is  sent  to  the  sender, 
and  a  secret  state  setupstate  that  is  kept  private. 

Once  the  setup  phase  is  complete,  the  receiver  and  sender  can  run  the  remainder  of  the 
protocol  an  unbounded  number  of  times. 

1.  Query.  When  the  receiver  wishes  to  receive  the  ith  element  in  the  database  DB[i],  it  runs 

{query,  qstate)^ PIR.Query(lK,  setupstate ,  i)  . 

The  query  message  query  is  then  sent  to  the  sender  and  qstate  is  a  query-specific  secret 
information  that  is  kept  private. 

2.  Answer.  The  sender  has  access  to  a  database  DB  £  {0, 1}^.  Upon  receiving  the  query 
message  query  from  the  receiver,  it  runs  the  “answering”  algorithm 

resp-tr- PIR.Response(lK,  DB, params,  query)  . 

The  response  resp  is  then  sent  back  to  the  receiver. 

3.  Decode.  Upon  receiving  resp,  the  receiver  decodes  the  response  by  running 

x<—  PIR.Decode(lK,  setupstate,  qstate,  resp )  . 

The  output  x  £  {0, 1}  is  the  output  of  the  protocol. 

We  note  that  while  in  general  a  multi-round  interactive  protocol  is  required  for  each  database 
query,  the  protocols  we  present  are  of  the  simple  form  of  a  query  message  followed  by  a  response 
message.  Hence,  we  chose  to  present  the  simple  syntax  above. 

The  communication  complexity  of  the  protocol  is  defined  to  be  \query\  +  \resp\.  Namely,  the 
number  of  bits  being  exchanged  to  transfer  a  single  database  element  (excluding  the  setup  phase). 
We  sometime  analyze  the  query  length  and  the  response  length  separately. 

Correctness  and  security  are  defined  as  follows. 

•  Correctness.  For  all  k  £  N,  DB  £  {0, 1}*  where  N  =  |DB|,  and  i  £  [N],  it  holds  that 

Pr[PIR.Decode(lK,  setupstate,  qstate,  resp)  /  DB[i]]  =  negl(«)  , 

where  {params,  setupstate)^ PIR.Setup(lK),  {query,  qstate)-^ PI R. Query (1K,  setupstate,  i)  and 
resp-e- PIR.Response(lK,  DB , params,  query). 

•  {t,  e)-Privacy.  For  all  n  £  N,  N  £  N  and  for  any  adversary  A  running  in  time  t  =  tKtN  it 
holds  that 

max  \Pr[A{params,i,  query i)  =  1]  —  Pv[A{params,  j,  query j)  =  1]|  <  e  (  =  €k,at)  , 

i  ('I . '/!• 

where  ( params ,  setupstate)^ PIR.Setup(lK),  {queryi(,  qstateie)-<r- PIR.Query(lK,  setupstate,  i e) 
and  {query jt,  qstatej^^ PIR.Query(lK,  setupstate,  ji),  for  all  i  £  [t]. 
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We  note  that  the  definition  of  privacy  above  differs  from  the  one  usually  found  in  literature.  The 
standard  definition  refers  to  vectors  i,  j  of  dimension  1.  That  is,  only  allow  the  adversary  to  see  one 
query  to  the  database.  A  hybrid  argument  can  show  that  with  proper  degradation  in  parameters, 
this  guarantees  some  security  also  for  the  case  of  many  queries.  However  in  the  public-key  setting, 
where  the  same  public  key  is  used  for  all  queries,  this  hybrid  argument  no  longer  works.  Thus, 
we  must  require  that  the  adversary  is  allowed  to  view  many  query  strings.27  In  fact,  one  could 
consider  even  stronger  attacks  in  the  public-key  setting,  which  is  outside  the  scope  of  this  work. 

The  definition  of  privacy  deserves  some  further  discussion.  We  note  that  we  did  not  define 
the  ranges  of  parameters  for  ( t ,  e)  for  which  the  protocol  is  considered  “private” .  Indeed  there  are 
several  meaningful  ways  to  define  what  it  means  for  a  protocol  to  be  private.  Let  us  discuss  two 
options  and  provide  corresponding  definitions. 

i.  The  first  approach  is  to  argue  that  the  resources  of  the  adversary  are  similar  to  those  of  an 
honest  server  (we  can  think  of  an  adversary  as  a  “server  gone  bad” ) .  Thus,  in  this  approach  the 
adversary  can  run  in  polynomial  time  in  N,  k  and  must  still  not  succeed  with  non-negligible 
probability  in  N,k.  We  say  that  a  scheme  is  (i)-private  if  it  is  (p(n,  N),  l/p(n,  IV))-private 
for  any  polynomial  p{ •,  •). 

ii.  The  second  approach  argues  that  the  security  parameter  is  the  “real”  measure  for  privacy. 
Thus  the  protocol  needs  to  be  exponentially  secure  in  the  security  parameter.  Thus  a  scheme 
is  (n)-private  if  it  is  (2^(K),  2~^(K))-private. 

5.2  PIR  via  Somewhat  Homomorphic  and  Symmetric  Encryption 

In  this  section  we  describe  a  generic  PIR  protocol  that  uses  a  somewhat  homomorphic  encryption 
and  an  arbitrary  symmetric  encryption  as  building  blocks.  This  protocol  has  the  useful  property 
that  the  somewhat  homomorphic  scheme  is  not  used  to  encrypt  the  index  to  the  database.  Rather, 
we  use  the  symmetric  scheme  to  encrypt  the  index,  and  have  the  server  homomorphically  decrypt 
it  during  query  evaluation.  Thus,  the  receiver’s  query  can  be  rather  short. 

Our  PIR  protocol  relies  on  two  building  blocks  -  a  semantically  secure  symmetric  encryption 
scheme  SYM  =  (SYM. Keygen,  SYM.Enc,  SYM.Dec)  over  the  message  space  [IV],  and  a  somewhat  ho¬ 
momorphic  encryption  scheme  HE  =  (HE. Keygen,  HE.Enc,  HE. Dec,  HE.Eval).  The  level  of  somewhat 
homomorphism  required  for  the  protocol  depends  on  the  symmetric  scheme  being  used  (in  partic¬ 
ular,  the  decryption  complexity  of  the  symmetric  scheme).  We  recall  that  in  Section  4,  we  get  a 
leveled  fully  homomorphic  scheme  without  relying  on  any  circular  security  assumptions,  this  means 
that  it  can  be  used  together  with  any  symmetric  scheme.  However,  a  clever  selection  of  the  sym¬ 
metric  scheme  to  be  used  can  make  our  methodology  applicable  also  for  somewhat  homomorphic 
schemes,  such  as  the  scheme  BTS  from  Section  4,  even  without  bootstrapping. 

We  present  a  protocol  PIR  =  (PIR. Setup,  PIR. Query,  PIR. Response,  PIR. Decode)  (as  defined  in 
Section  5.1). 

•  PIR.Setup(lK):  In  the  setup  procedure,  we  generate  a  symmetric  key  symsk-^r- SYM. Keygen(lK) 
and  keys  for  the  somewhat  homomorphic  scheme  (hpk,  hevk,  hsk)-<r- HE.Keygen(lK). 

2 'We  feel  that  our  definition  captures  the  essence  of  an  attack  on  a  PIR  protocol  more  than  the  standard  one-time 
definition,  even  in  the  usual  setting.  As  we  mention  above,  converting  between  the  definitions  incurs  a  linear  blowup 
in  the  adversary’s  advantage  so  a  ( t ,  e)-private  scheme  according  to  the  old  definition  is  only  ( t ,  fe)-private  according 
to  ours. 
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The  symmetric  key  is  then  encrypted  using  the  homomorphic  public  key  to  create  a  ciphertext 

Csymsk ^  H  E. Enc^p/j. (symsk^)  . 

We  note  that  if  HE  is  bit  encryption  scheme,  then  symsk  is  encrypted  bit  by  bit. 

The  setup  procedure  then  outputs  the  public  parameters 

params:=(hevk,csymsk)  , 


and  the  secret  state 

setupstate:=(hpk,  hsk,  symsk)  . 

•  PIR.Query(lK,  setupstate,  i ):  To  generate  a  query  string,  we  just  encrypt  i  using  the  symmetric 
scheme.  Recall  that  setupstate  =  (hpk,  hsk,  symsk),  then 

query^SYM.Encsymsk(i)  . 

In  our  scheme,  no  additional  information  needs  to  be  saved  per  query:  q.state:=4>. 

•  PIR. Response(lK,  DB, params,  query):  Upon  receiving  a  query,  a  response  is  computed  as  fol¬ 
lows.  Recall  that  params  =  ( hevk ,  csyrnsk)  and  consider  the  function  li  defined  as  follows: 

h(x)  =  DB[SYM.Dec(x,  query)]  , 

namely  the  function  h  uses  its  input  as  a  symmetric  key  to  decrypt  the  query,  and  then  uses 
the  plaintext  to  index  the  database  and  retrieve  the  appropriate  value.  Note  that  h(symsk)  = 
DB[i],  where  i  is  the  index  embedded  in  query. 

While  PIR. Response  does  not  know  symsk,  it  does  know  csymsk  and  thus  can  homomorphically 
evaluate  h(symsk)  and  set 


respi  HE.Eval hevk^h,  csymsk^  . 

Note  that  resp  should  correspond  to  a  decryptable  ciphertext  of  DB [i] . 

•  PIR.Decode(lK,  setupstate,  qstate,  resp):  We  recall  that  setupstate  =  (hpk,  hsk,  symsk)  and 
that  qstate  is  null.  To  decode  the  answer  to  the  query,  we  decrypt  the  ciphertext  associated 
with  resp ,  outputting 

b<—  H  E. Dec^fe  (resp)  . 

Correctness  and  privacy  are  easily  reduced  to  those  of  the  underlying  primitives  in  the  following 
lemmas. 

Lemma  5.1  (correctness).  If  our  symmetric  scheme  SYM,  and  our  somewhat  homomorphic  scheme 
HE  are  correct  and  if  the  somewhat  homomorphic  scheme  can  evaluate  the  function  h  defined  above, 
then  our  PIR  protocol  is  correct. 

Proof.  Since  HE  is  correct  with  regards  to  homomorphic  evaluation,  then  with  all  but  negligible 
probability  b  =  h(symsk).  Since  SYM  is  correct,  it  follows  that  h(symsk)  =  DB[i]  with  all  but 
negligible  probability.  □ 
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Lemma  5.2  (privacy).  If  our  somewhat  homomorphic  scheme  is  (t  •  poly(re),  e{)-CPA  secure  and 
our  symmetric  scheme  is  (f+poly(re),  €2) -CPA  secure,  then  our  PIR  protocol  is  (t,  2(e\+ €2)) -private. 

Proof.  We  prove  this  by  a  series  of  hybrids  (or  experiments).  Let  A  be  an  adversary  that  runs  in 
time  t  against  the  privacy  of  our  protocol  and  has  advantage  e.  We  consider  the  behavior  of  A  in 
a  number  of  hybrids  Hq,H\,H2  as  defined  below.  We  let  Adv^JA]  denote  the  advantage  of  A  in 
hybrid  H \. 

•  Hybrid  Hq.  This  is  identical  to  the  original  privacy  game  of  the  scheme.  By  definition 

Ad vHo  [A]  =  e  . 

•  Hybrid  H±.  We  now  change  the  game  so  that  instead  of  computing  csj/msfet—  HE. Er\Chpk(symsk) 
in  PIR. Setup,  we  will  set  csyrnsk<—  HE.Enc/ipfe(0). 

There  exists  an  adversary  B  for  the  CPA-security  of  the  somewhat  homomorphic  scheme  that 
runs  in  time  t  •  poly  (re)  and  whose  advantage  is 

CPAAdv[£>]  =  (1/2)  •  |Advff0[A]  -  Adv^JA]]  . 


It  follows  that 

|Advtf0[A]  -  Advffl[A]|  <  2ei  . 

•  Hybrid  H2.  We  now  change  the  game  so  that  instead  of  setting  query ^ SYM.Encs?;ms/c(?'£) 
in  PIR. Query,  we  will  set  query .Er\csymsk(0)  for  all  t  G  [1 . . .  t\. 

There  exists  an  adversary  C  for  the  CPA-security  of  the  symmetric  scheme  that  runs  in  time 
t  +  poly(re)  and  whose  advantage  is 

CPAAdv[C]  =  (1/2)  •  |AdyHi[A]  -  Adv#2[y4]|  . 


It  follows  that 

lAdv/fj [A]  -  Adv h2[A}\  <  2e2  . 


However,  in  H2,  the  view  of  the  adversary  is  independent  of  the  queried  indices.  Therefore 


Ad vjj2  [A]  =  0  . 


It  follows  that  e  <  2(ei  +  e2)  as  required.  □ 

Lastly,  let  us  analyze  the  communication  complexity  of  our  protocol.  It  follows  by  definition 
that  the  query  size  is  the  length  of  an  encryption  of  {0,  bits  using  our  symmetric  scheme, 

and  the  response  is  the  encryption  of  a  single  bit  using  our  somewhat  homomorphic  scheme. 

5.3  Instantiating  the  Components:  The  PIR  Protocol 

We  show  how  to  implement  the  primitives  required  in  Section  5.2  in  two  different  ways. 
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An  Explicit  LWE-Based  Solution.  The  first  idea  is  to  use  an  optimized,  symmetric-key  LWE- 
based  encryption  as  the  symmetric  encryption  scheme  in  the  PIR  protocol,  together  with  our 
scheme  BTS  as  the  homomorphic  scheme.  Specifically,  using  the  same  parameters  k,p  as  in  our 
bootstrappable  scheme,  we  get  a  symmetric  scheme  whose  decryption  is  almost  identical  to  that  of 
our  bootstrappable  scheme. 

In  particular,  we  apply  an  optimization  of  [PVW08,  ACPS09]  to  get  ciphertexts  of  length 
O(logA)  +  O(klogk)  to  encrypt  log  A  bits  of  the  index.  Roughly  speaking,  the  optimization  is 
based  on  two  observations:  first,  rather  than  encrypting  a  single  bit  using  an  element  of  Z p,  we  can 
“pack  in”  O(logp)  bits,  if  we  set  the  error  in  the  LWE  instances  to  be  correspondingly  smaller  (but 
still  a  1/poly (k)  fraction  of  p).  Secondly,  observe  that  in  a  symmetric  ciphertext  (v,rc)  Zp, 

most  of  the  space  is  consumed  by  the  vector  v.  The  observation  of  [PVW08,  ACPS09]  is  that 
v  can  be  re-used  to  encrypt  multiple  messages  using  different  secret  keys  si, . . .  ,S£.  Using  these 
optimizations,  the  resulting  PIR  protocol  has  query  length  of  0(k\ogk  +  log  A)  bits  and  response 
length  0(k  log  k)  for  k  =  poly(ft).  The  following  corollary  summarizes  the  properties  of  this  scheme. 

Corollary  5.3  ([PVW08,  ACPS09]).  Let  p,k,\  be  as  in  Theorem  4-2-  Then  there  exists  a 
DLWEfc  x- secure  symmetric  encryption  scheme  whose  ciphertext  length  is  0{k\ogk  +  I)  for  l- bit 
messages,  and  whose  decryption  circuit  has  the  same  depth  as  that  of  BTS. Dec. 

Recall  the  analysis  of  BTS  from  Section  4.  We  can  prove  that  the  function  h  can  be  evaluated 
homomorphically. 

Lemma  5.4.  Let  SYM  he  the  scheme  from  Corollary  5.3,  then  h(x)  =  DB[SYM.Decx((7«e?’y)]  is 
such  that  h  E  Arith[0(log  k)  +  log  log  A,  A] . 

Proof.  We  implement  h  as  follows.  First,  we  decrypt  the  value  of  query  to  obtain  an  index  i.  Then, 
we  compute  the  function  Ylje[N]  The  decryption  circuit  is  implemented  in  depth  0(log  k) 

as  in  Lemma  4.5.  The  function  ti=j  is  implemented  using  a  comparison  tree  of  depth  log  log  A. 
Finally,  a  collation  gate  of  fan-in  A  is  used  to  compute  the  final  sum.  The  result  follows.  □ 

This  means  that  we  can  choose  n  to  be  large  enough  such  that  h  can  be  evaluated  by  BTS. 

Theorem  5.5.  There  exists  a  PIR  protocol  with  communication  complexity  0(k  log  /c+log  A)  based 
on  the  DLWEniqiX  and  DLWEfcp^.  assumptions,  forn  =  poly(/c)  and  the  remainder  of  the  parameters 
as  in  Theorem  4-2- 

Proof.  We  choose  n  such  that  L  =  fl(elogn)  >  0(logfc)  +  loglog  A  and  such  that  ^fq  =  2n£/2  >  A. 
This  will  result  in  n  =  poly(A’,  log  A)  (recall  that  the  communication  complexity  depends  only  on 
k).  The  result  follows  from  Theorem  4.2  and  Theorem  4.3.  □ 

For  the  best  currently  known  attacks  on  LWE  (see  [MR09,  LP11,  RS10]),  this  protocol  is 
2 -fhfc/polylogfc) ) -private .  Thus,  going  back  to  our  definitions  in  Section  5.1,  and  setting 
k  =  k  ■  polylog(K),  we  get  a  (ii)-private  PIR  scheme  with  a  total  communication  complexity  of 
O(logA)  +  0(k  ■  polylog(fv));  and  a  (i)-private  scheme  with  communication  complexity  log  A  • 
polyloglog(A)  by  setting  k  =  log  A  •  polyloglog(A)  =  cj(log  A). 
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An  Almost  Optimal  Solution  Using  Pseudorandom  Functions.  A  second  instantiation 
aims  to  bring  the  (ri)-private  communication  complexity  down  to  log  A  +  k  ■  polylog(rc).  This  can 
be  done  by  instantiating  the  symmetric  encryption  scheme  above  with  an  optimal  symmetric  en¬ 
cryption  scheme  with  ciphertexts  of  length  log  N+k- polylog(ft).  Such  a  scheme  follows  immediately 
given  any  pseudo-random  function  (PRF). 

If  we  want  to  base  security  solely  on  LWE,  we  can  use  the  LWE-based  PRF  that  is  obtained 
by  applying  the  GGM  transformation  [GGM86]  to  an  LWE  based  pseudorandom  generator.  Note 
that  using  such  instantiation,  we  cannot  argue  that  h  E  Arith  [L,T]  for  reasonable  L,  T  (since 
the  complexity  of  evaluating  the  PRF  might  be  high).  However,  we  can  use  our  leveled  fully 
homomorphic  scheme  to  support  the  required  circuit  depth  of  any  function,  and  in  particular  the 
aforementioned  PRF. 

The  Complexity  of  Transmitting  the  Public  Parameters.  Finally,  we  note  that  the  pa¬ 
rameters  produced  in  the  setup  phase  of  our  protocol  are  of  length  poly(«).  Thus  our  proto¬ 
col  can  be  trivially  modified  to  work  in  a  setting  without  setup,  with  communication  complexity 
log  A  +  poly(z-c)  (under  the  (u)-private  notion)  and  polylog(A)  (under  the  (f)-private  notion). 


References 


[ABB  10] 
[ACPS09] 

[AGV09] 

[Ajt98] 

[AKS01] 

[BGN05] 

[BVU] 

[CHKP10] 


Shweta  Agrawal,  Dan  Boneh,  and  Xavier  Boyen.  Efficient  lattice  (h)ibe  in  the  standard 
model.  In  EUROCRYPT,  pages  553-572,  2010. 

Benny  Applebaum,  David  Cash,  Chris  Peikert,  and  Amit  Sahai.  Fast  cryptographic 
primitives  and  circular-secure  encryption  based  on  hard  learning  problems.  In  Shai 
Halevi,  editor,  CRYPTO,  volume  5677  of  Lecture  Notes  in  Computer  Science,  pages 
595-618.  Springer,  2009. 

Adi  Akavia,  Shah  Goldwasser,  and  Vinod  Vaikuntanathan.  Simultaneous  hardcore  bits 
and  cryptography  against  memory  attacks.  In  Orner  Reingold,  editor,  TCC,  volume 
5444  of  Lecture  Notes  in  Computer  Science,  pages  474-495.  Springer,  2009. 

Miklos  Ajtai.  The  shortest  vector  problem  in  2  is  p-hard  for  randomized  reductions 
(extended  abstract).  In  STOC,  pages  10-19,  1998. 

Miklos  Ajtai,  Ravi  Kumar,  and  D.  Sivakumar.  A  sieve  algorithm  for  the  shortest  lattice 
vector  problem.  In  STOC,  pages  601-610,  2001. 

Dan  Boneh,  Eu-Jin  Goh,  and  Kobbi  Nissirn.  Evaluating  2-DNF  formulas  on  cipher- 
texts.  In  Theory  of  Cryptography  -  TCC’05,  volume  3378  of  Lecture  Notes  in  Computer 
Science,  pages  325-341.  Springer,  2005. 

Zvika  Brakerski  and  Vinod  Vaikuntanathan.  Fully  homomorphic  encryption  from 
ring-LWE  and  security  for  key  dependent  messages.  In  CRYPTO,  2011.  To  appear. 

David  Cash,  Dennis  Hofheinz,  Eike  Kiltz,  and  Chris  Peikert.  Bonsai  trees,  or  how  to 
delegate  a  lattice  basis.  In  EUROCRYPT,  pages  523-552,  2010. 


34 


Approved  for  Public  Release;  Distribution  Unlimited. 

61 


[CMS99] 

[DGHV10] 

[Gen09a] 

[Gen09b] 

[GenlO] 

[GGM86] 

[GHlla] 

[GHllb] 

[GHVlOa] 

[GHVlOb] 

[GM82] 

[GPV08] 

[GR05] 

[ILL89] 


Christian  Cachin,  Silvio  Micali,  and  Markus  Stadler.  Computationally  private  informa¬ 
tion  retrieval  with  polylogarithmic  communication.  In  EUROCRYPT,  pages  402-414, 
1999. 

Marten  van  Dijk,  Craig  Gentry,  Shai  Halevi,  and  Vinod  Vaikuntanathan.  Fully  ho¬ 
momorphic  encryption  over  the  integers.  In  EUROCRYPT,  pages  24-43,  2010.  Full 
Version  in  http://eprint.iacr.org/2009/616.pdf. 

Craig  Gentry.  A  fully  homomorphic  encryption  scheme.  PhD  thesis,  Stanford  Univer¬ 
sity,  2009.  crypto.stanford.edu/craig. 

Craig  Gentry.  Fully  homomorphic  encryption  using  ideal  lattices.  In  STOC,  pages 
169-178,  2009. 

Craig  Gentry.  Toward  basing  fully  homomorphic  encryption  on  worst-case  hardness.  In 
CRYPTO,  pages  116-137,  2010. 

Oded  Goldreich,  Shah  Goldwasser,  and  Silvio  Micali.  How  to  construct  random  func¬ 
tions.  J.  ACM,  33 (4): 792-807,  1986. 

Craig  Gentry  and  Shai  Halevi.  Fully  homomorphic  encryption  without  squashing  using 
depth-3  arithmetic  circuits.  Cryptology  ePrint  Archive,  Report  2011/279,  2011.  http: 
//eprint . iacr . org/2011/279. 

Craig  Gentry  and  Shai  Halevi.  Implementing  gentry’s  fully-homomorphic.  encryption 
scheme.  In  Kenneth  G.  Paterson,  editor,  EUROCRYPT,  volume  6632  of  Lecture  Notes 
in  Computer  Science,  pages  129-148.  Springer,  2011. 

Craig  Gentry,  Shai  Halevi,  and  Vinod  Vaikuntanathan.  i-hop  homomorphic  encryption 
and  rerandomizable  Yao  circuits.  In  CRYPTO,  pages  155-172,  2010. 

Craig  Gentry,  Shai  Halevi,  and  Vinod  Vaikuntanathan.  A  simple  BGN-type  cryptosys¬ 
tem  from  LWE.  In  EUROCRYPT,  pages  506-522,  2010. 

Shah  Goldwasser  and  Silvio  Micali.  Probabilistic  encryption  and  how  to  play  mental 
poker  keeping  secret  all  partial  information.  In  STOC,  pages  365-377.  ACM,  1982. 

Craig  Gentry,  Chris  Peikert,  and  Vinod  Vaikuntanathan.  Trapdoors  for  hard  lattices 
and  new  cryptographic  constructions.  In  Cynthia  Dwork,  editor,  STOC,  pages  197-206. 
ACM,  2008. 

Craig  Gentry  and  Zulfikar  Ramzan.  Single-database  private  information  retrieval  with 
constant  communication  rate.  In  Luis  Caires,  Giuseppe  F.  Italiano,  Luis  Monteiro, 
Catuscia  Palamidessi,  and  Moti  Yung,  editors,  ICALP,  volume  3580  of  Lecture  Notes 
in  Computer  Science,  pages  803-815.  Springer,  2005. 

Russell  Impagliazzo,  Leonid  A.  Levin,  and  Michael  Luby.  Pseudo-random  generation 
from  one-way  functions  (extended  abstracts).  In  STOC,  pages  12-24.  ACM,  1989. 


35 


Approved  for  Public  Release;  Distribution  Unlimited. 

62 


[IP07] 

[Lip05] 

[LLL82] 

[LP11] 

[LPR10] 

[MGHIO] 

[MicOO] 

[MiclO] 

[MR09] 

[MVIO] 

[OS07] 

[Pai99] 

[Pei09] 

[PVW08] 


Yuval  Ishai  and  Anat  Paskin.  Evaluating  brandling  programs  on  encrypted  data.  In 
Salil  P.  Vadhan,  editor,  TCC,  volume  4392  of  Lecture  Notes  in  Computer  Science ,  pages 
575-594.  Springer,  2007. 

Helger  Lipmaa.  An  oblivious  transfer  protocol  with  log-squared  communication.  In 
Jianying  Zhou,  Javier  Lopez,  Robert  H.  Deng,  and  Feng  Bao,  editors,  ISC ,  volume 
3650  of  Lecture  Notes  in  Computer  Science ,  pages  314-328.  Springer,  2005. 

A.  K.  Lenstra,  H.  W.  Lenstra,  and  L.  Lovsz.  Factoring  polynomials  with  rational 
coefficients.  Mathematische  Annalen,  261:515-534,  1982.  10.1007/BF01457454. 

Richard  Lindner  and  Chris  Peikert.  Better  key  sizes  (and  attacks)  for  LWE-based 
encryption.  In  Aggelos  Kiayias,  editor,  CT-RSA ,  volume  6558  of  Lecture  Notes  in 
Computer  Science,  pages  319-339.  Springer,  2011. 

Vadim  Lyubashevsky,  Chris  Peikert,  and  Oded  Regev.  On  ideal  lattices  and  learning 
with  errors  over  rings.  In  EUROCRYPT,  pages  1  23,  2010.  Draft  of  full  version  was 
provided  by  the  authors. 

Carlos  Aguilar  Melchor,  Philippe  Gaborit,  and  Javier  Herranz.  Additively  homomorphic 
encryption  with  d-operand  multiplications.  In  CRYPTO,  pages  138-154,  2010. 

Daniele  Micciancio.  The  shortest  vector  in  a  lattice  is  hard  to  approximate  to  within 
some  constant.  SIAM  J.  Comput.,  30(6):2008-2035,  2000. 

Daniele  Micciancio.  A  first  glimpse  of  cryptography’s  holy  grail.  Commun.  ACM, 
53:96-96,  March  2010. 

Daniele  Micciancio  and  Oded  Regev.  Lattice-based  cryptography.  In  Post- Quantum 
Cryptography.  Springer,  2009. 

Daniele  Micciancio  and  Panagiotis  Voulgaris.  A  deterministic  single  exponential  time 
algorithm  for  most  lattice  problems  based  on  voronoi  cell  computations.  In  Leonard  J. 
Schulman,  editor,  STOC,  pages  351-358.  ACM,  2010. 

Rafail  Ostrovsky  and  William  E.  Skeith  III.  A  survey  of  single-database  private  in¬ 
formation  retrieval:  Techniques  and  applications.  In  Tatsuaki  Okamoto  and  Xiaoyun 
Wang,  editors,  Public  Key  Cryptography ,  volume  4450  of  Lecture  Notes  in  Computer 
Science,  pages  393-411.  Springer,  2007. 

Pascal  Paillier.  Public-key  cryptosystems  based  on  composite  degree  residuosity  classes. 
In  EUROCRYPT,  pages  223-238,  1999. 

Chris  Peikert.  Public- key  cryptosystems  from  the  worst-case  shortest  vector  problem: 
extended  abstract.  In  STOC,  pages  333-342,  2009. 

Chris  Peikert,  Vinod  Vaikuntanathan,  and  Brent  Waters.  A  framework  for  efficient 
and  composable  oblivious  transfer.  In  David  Wagner,  editor,  CRYPTO,  volume  5157 
of  Lecture  Notes  in  Computer  Science ,  pages  554-571.  Springer,  2008. 


36 


Approved  for  Public  Release;  Distribution  Unlimited. 

63 


[RAD78]  R.  Rivest,  L.  Adleman,  and  M.  Dertouzos.  On  data  banks  and  privacy  homomorphisms. 
In  Foundations  of  Secure  Computation ,  pages  169-177.  Academic  Press,  1978. 

[Reg05]  Oded  Regev.  On  lattices,  learning  with  errors,  random  linear  codes,  and  cryptography. 
In  Harold  N.  Gabow  and  Ronald  Fagin,  editors,  STOC,  pages  84-93.  ACM,  2005. 

[RS10]  Markus  Riickert  and  Michael  Schneider.  Estimating  the  security  of  lattice-based  cryp¬ 
tosystems.  Cryptology  ePrint  Archive,  Report  2010/137,  2010.  http://eprint.iacr. 
org/. 

[SS10]  Damien  Stehle  and  Ron  Steinfeld.  Faster  fully  homomorphic  encryption.  In  Masayuki 
Abe,  editor,  ASIACRYPT ,  volume  6477  of  Lecture  Notes  in  Computer  Science ,  pages 
377-394.  Springer,  2010. 

[SV10]  Nigel  P.  Smart  and  Frederik  Vercauteren.  Fully  homomorphic  encryption  with  relatively 
small  key  and  ciphertext  sizes.  In  Phong  Q.  Nguyen  and  David  Pointcheval,  editors, 
Public  Key  Cryptography ,  volume  6056  of  Lecture  Notes  in  Computer  Science ,  pages 
420-443.  Springer,  2010. 

[SYY99]  Tomas  Sander,  Adam  Young,  and  Moti  Yung.  Non-interactive  cryptocomputing  for 
NC^.  In  FOCS,  pages  554-567,  1999. 


37 


Approved  for  Public  Release;  Distribution  Unlimited. 

64 


Fully  Homomorphic  Encryption  without  Bootstrapping 


Zvika  Brakerski  Craig  Gentry* 

Weizmann  Institute  of  Science  IBM  TJ.  Watson  Research  Center 

Vinod  Vaikuntanatharf 
University  of  Toronto 


Abstract 

We  present  a  radically  new  approach  to  fully  homomorphic  encryption  (FHE)  that  dramatically  im¬ 
proves  performance  and  bases  security  on  weaker  assumptions.  A  central  conceptual  contribution  in  our 
work  is  a  new  way  of  constructing  leveled  fully  homomorphic  encryption  schemes  (capable  of  evaluating 
arbitrary  polynomial-size  circuits),  without  Gentry’s  bootstrapping  procedure. 

Specifically,  we  offer  a  choice  of  FHE  schemes  based  on  the  learning  with  error  (LWE)  or  ring-LWE 
(RLWE)  problems  that  have  2A  security  against  known  attacks.  For  RLWE,  we  have: 

•  A  leveled  FHE  scheme  that  can  evaluate  /.-level  arithmetic  circuits  with  O ( A  •  L3)  per-gate  com¬ 
putation  -  i.e.,  computation  quasi-linear  in  the  security  parameter.  Security  is  based  on  RLWE 
for  an  approximation  factor  exponential  in  L.  This  construction  does  not  use  the  bootstrapping 
procedure. 

•  A  leveled  FHE  scheme  that  uses  bootstrapping  as  an  optimization ,  where  the  per-gate  computation 
(which  includes  the  bootstrapping  procedure)  is  OfA2),  independent  of  L.  Security  is  based  on  the 
hardness  of  RLWE  for  quasi-polynomial  factors  (as  opposed  to  the  sub-exponential  factors  needed 
in  previous  schemes). 

We  obtain  similar  results  for  LWE,  but  with  worse  performance.  We  introduce  a  number  of  further 
optimizations  to  our  schemes.  As  an  example,  for  circuits  of  large  width  -  e.g.,  where  a  constant  fraction 
of  levels  have  width  at  least  A  -  we  can  reduce  the  per-gate  computation  of  the  bootstrapped  version  to 
Of  A),  independent  of  L,  by  batching  the  bootstrapping  operation.  Previous  FHE  schemes  all  required 
fl( A3'5)  computation  per  gate. 

At  the  core  of  our  construction  is  a  much  more  effective  approach  for  managing  the  noise  level  of 
lattice-based  ciphertexts  as  homomorphic  operations  are  performed,  using  some  new  techniques  recently 
introduced  by  Brakerski  and  Vaikuntanathan  (FOCS  2011). 
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1  Introduction 

Ancient  History.  Fully  homomorphic  encryption  (FHE)  [19,  8]  allows  a  worker  to  receive  encrypted  data 
and  perform  arbitrarily-complex  dynamically-chosen  computations  on  that  data  while  it  remains  encrypted, 
despite  not  having  the  secret  decryption  key.  Until  recently,  all  FHE  schemes  [8,  6,  20,  10,  5,  4]  followed 
the  same  blueprint,  namely  the  one  laid  out  in  Gentry’s  original  construction  [8,  7], 

The  first  step  in  Gentry’s  blueprint  is  to  construct  a  somewhat  homomorphic  encryption  ( SWHE)  scheme , 
namely  an  encryption  scheme  capable  of  evaluating  “low-degree”  polynomials  homomorphically.  Starting 
with  Gentry’s  original  construction  based  on  ideal  lattices  [8],  there  are  by  now  a  number  of  such  schemes 
in  the  literature  [6,  20,  10,  5,  4,  13],  all  of  which  arc  based  on  lattices  (either  directly  or  implicitly).  The 
ciphertexts  in  all  these  schemes  arc  “noisy”,  with  a  noise  that  grows  slightly  during  homomorphic  addition, 
and  explosively  during  homomorphic  multiplication,  and  hence,  the  limitation  of  low-degree  polynomials. 

To  obtain  FHE,  Gentry  provided  a  remarkable  bootstrapping  theorem  which  states  that  given  a  SWHE 
scheme  that  can  evaluate  its  own  decryption  function  (plus  an  additional  operation),  one  can  transform  it 
into  a  “leveled”1  FHE  scheme.  Bootstrapping  “refreshes”  a  ciphertext  by  running  the  decryption  function 
on  it  homomorphically,  using  an  encrypted  secret  key  (given  in  the  public  key),  resulting  in  a  reduced  noise. 

As  if  by  a  strange  law  of  nature,  SWHE  schemes  tend  to  be  incapable  of  evaluating  their  own  decryption 
circuits  (plus  some)  without  significant  modifications.  (We  discuss  recent  exceptions  [9,  3]  below.)  Thus, 
the  final  step  is  to  squash  the  decryption  circuit  of  the  SWHE  scheme,  namely  transform  the  scheme  into  one 
with  the  same  homomorphic  capacity  but  a  decryption  circuit  that  is  simple  enough  to  allow  bootstrapping. 
Gentry  [8]  showed  how  to  do  this  by  adding  a  “hint”  -  namely,  a  large  set  with  a  secret  sparse  subset  that 
sums  to  the  original  secret  key  -  to  the  public  key  and  relying  on  a  “sparse  subset  sum”  assumption. 

1.1  Efficiency  of  Fully  Homomorphic  Encryption 

The  efficiency  of  fully  homomorphic  encryption  has  been  a  (perhaps,  the)  big  question  following  its  inven¬ 
tion.  In  this  paper,  we  arc  concerned  with  the  per-gate  computation  overhead  of  the  FHE  scheme,  defined 
as  the  ratio  between  the  time  it  takes  to  compute  a  circuit  homomorphically  to  the  time  it  takes  to  compute 
it  in  the  clear.2  Unfortunately,  FHE  schemes  that  follow  Gentry’s  blueprint  (some  of  which  have  actually 
been  implemented  [10,  5])  have  fairly  poor  performance  -  their  per-gate  computation  overhead  is  p{ A),  a 
large  polynomial  in  the  security  parameter.  In  fact,  we  would  like  to  argue  that  this  penalty  in  performance 
is  somewhat  inherent  for  schemes  that  follow  this  blueprint. 

First,  the  complexity  of  (known  approaches  to)  bootstrapping  is  inherently  at  least  the  complexity  of 
decryption  times  the  bit-length  of  the  individual  ciphertexts  that  arc  used  to  encrypt  the  bits  of  the  secret 
key.  The  reason  is  that  bootstrapping  involves  evaluating  the  decryption  circuit  homomorphically  -  that  is, 
in  the  decryption  circuit,  each  secret-key  bit  is  replaced  by  a  (large)  ciphertext  that  encrypts  that  bit  -  and 
both  the  complexity  of  decryption  and  the  ciphertext  lengths  must  each  be  H(A). 

Second,  the  undesirable  properties  of  known  SWHE  schemes  conspire  to  ensure  that  the  real  cost  of 
bootstrapping  for  FHE  schemes  that  follow  this  blueprint  is  actually  much  worse  than  quadratic.  Known 
FHE  schemes  start  with  a  SWHE  scheme  that  can  evaluate  polynomials  of  degree  D  (multiplicative  depth 
log  I))  securely  only  if  the  underlying  lattice  problem  is  hard  to  2D -approximate  in  2X  time.  For  this  to 
be  hard,  the  lattice  must  have  dimension  f l(D  ■  A).3  Moreover,  the  coefficients  of  the  vectors  used  in  the 

'in  a  “leveled"  FHE  scheme,  the  size  of  the  public  key  is  linear  in  the  depth  of  the  circuits  that  the  scheme  can  evaluate.  One 
can  obtain  a  “pure"  FHE  scheme  (with  a  constant-size  public  key)  from  a  leveled  FHE  scheme  by  assuming  “circular  security”  - 
namely,  that  it  is  safe  to  encrypt  the  leveled  FHE  secret  key  under  its  own  public  key.  We  will  omit  the  term  “leveled”  in  this  work. 

2Other  measures  of  efficiency,  such  ciphertext/key  size  and  encryption/decryption  time,  are  also  important.  In  fact,  the  schemes 
we  present  in  this  paper  are  very  efficient  in  these  aspects  (as  are  the  schemes  in  [9,  3]). 

3This  is  because  we  have  lattice  algorithms  in  n  dimensions  that  compute  2n/A -approximations  of  short  vectors  in  time  20(-Ah 
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scheme  have  bit  length  f 1(D)  to  allow  the  ciphertext  noise  room  to  expand  to  2D .  Therefore,  the  size  of 
“fresh”  ciphertexts  (e.g.,  those  that  encrypt  the  bits  of  the  secret  key)  is  (l(D2  ■  A).  Since  the  SWHE  scheme 
must  be  “bootstrappable”  -  i.e.,  capable  of  evaluating  its  own  decryption  function  -  D  must  exceed  the 
degree  of  the  decryption  function.  Typically,  the  degree  of  the  decryption  function  is  fl(A).  Thus,  overall, 
“fresh”  ciphertexts  have  size  I2(A3).  So,  the  real  cost  of  bootstrapping  -  even  if  we  optimistically  assume 
that  the  “stale”  ciphertext  that  needs  to  be  refreshed  can  be  decrypted  in  only  0(A)-time  -  is  (l ( A4 ) . 

The  analysis  above  ignores  a  nice  optimization  by  Stehle  and  Steinfeld  [22],  which  so  far  has  not  been 
useful  in  practice,  that  uses  Chernoff  bounds  to  asymptotically  reduce  the  decryption  degree  down  to  0(V A). 
With  this  optimization,  the  per-gate  computation  of  FHE  schemes  that  follow  the  blueprint  is  <2 (A3). 4 

Recent  Deviations  from  Gentry’s  Blueprint,  and  the  Hope  for  Better  Efficiency.  Recently,  Gentry  and 
Halevi  [9],  and  Brakerski  and  Vaikuntanathan  [3],  independently  found  very  different  ways  to  construct  FHE 
without  using  the  squashing  step,  and  thus  without  the  sparse  subset  sum  assumption.  These  schemes  are  the 
first  major  deviations  from  Gentry’s  blueprint  for  FHE.  Brakerski  and  Vaikuntanathan  [3]  manage  to  base 
security  entirely  on  LWE  (for  sub-exponential  approximation  factors),  avoiding  reliance  on  ideal  lattices. 

From  an  efficiency  perspective,  however,  these  results  are  not  a  clear  win  over  previous  schemes.  Both  of 
the  schemes  still  rely  on  the  problematic  aspects  of  Gentry’s  blueprint  -  namely,  bootstrapping  and  an  SWHE 
scheme  with  the  undesirable  properties  discussed  above.  Thus,  their  per-gate  computation  is  still  H(A4)  (in 
fact,  that  is  an  optimistic  evaluation  of  their  performance).  Nevertheless,  the  techniques  introduced  in  these 
recent  constructions  arc  very  interesting  and  useful  to  us.  In  particular,  we  use  the  tools  and  techniques 
introduced  by  Brakerski  and  Vaikuntanathan  [3]  in  an  essential  way  to  achieve  remarkable  efficiency  gains. 

An  important,  somewhat  orthogonal  question  is  the  strength  of  assumptions  underlying  FHE  schemes. 
All  the  schemes  so  far  rely  on  the  hardness  of  short  vector  problems  on  lattices  with  a  subexponential 
approximation  factor.  Can  we  base  FHE  on  polynomial  hardness  assumptions? 

1.2  Our  Results  and  Techniques 

We  leverage  Brakerski  and  Vaikuntanathan ’s  techniques  [3]  to  achieve  asymptotically  very  efficient  FHE 
schemes.  Also,  we  base  security  on  lattice  problems  with  quasi-polynomial  approximation  factors.  (Previ¬ 
ous  schemes  all  used  sub-exponential  factors.)  In  particular,  we  have  the  following  theorem  (informal): 

•  Assuming  Ring  LWE  for  an  approximation  factor  exponential  in  L,  we  have  a  leveled  FHE  scheme 
that  can  evaluate  L-level  arithmetic  circuits  without  using  bootstrapping.  The  scheme  has  ()(\  ■  L3) 
per-gate  computation  (namely,  quasi-linear  in  the  security  parameter). 

•  Alternatively,  assuming  Ring  LWE  is  hard  for  quasi-polynomial  factors,  we  have  a  leveled  FHE 
scheme  that  uses  bootstrapping  as  an  optimization ,  where  the  per-gate  computation  (which  includes 
the  bootstrapping  procedure)  is  0(A2),  independent  of  L. 

We  can  alternatively  base  security  on  LWE,  albeit  with  worse  performance.  We  now  sketch  our  main  idea 
for  boosting  efficiency. 

In  the  BV  scheme  [3],  like  ours,  a  ciphertext  vector  c  e  I!"  (where  R  is  a  ring,  and  n  is  the  “dimension” 
of  the  vector)  that  encrypts  a  message  m  satisfies  the  decryption  formula  m  =  [[(c,  s)]r/]  9,  where  s  e  Rn  is 
the  secret  key  vector,  q  is  an  odd  modulus,  and  [-]g  denotes  reduction  into  the  range  (—q/2,  q/ 2).  This  is  an 
abstract  scheme  that  can  be  instantiated  with  either  LWE  or  Ring  LWE  -  in  the  LWE  instantiation,  R  is  the 
ring  of  integers  mod  q  and  n  is  a  large  dimension,  whereas  in  the  Ring  LWE  instantiation,  II  is  the  ring  of 
polynomials  over  integers  mod  q  and  an  irreducible  f(x),  and  the  dimension  n  =  1. 

4We  note  that  bootstrapping  lazily  -  i.e.,  applying  the  refresh  procedure  only  at  a  1  jk  fraction  of  the  circuit  levels  for  k  >  1  - 
cannot  reduce  the  per-gate  computation  further  by  more  than  a  logarithmic  factor  for  schemes  that  follow  this  blueprint,  since  these 
SWHE  schemes  can  evaluate  only  log  multiplicative  depth  before  it  becomes  absolutely  necessary  to  refresh  -  i.e.,  k  =  0(log  A). 
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We  will  call  [(c,  s)]9  the  noise  associated  to  ciphertext  c  under  key  s.  Decryption  succeeds  as  long  as 
the  magnitude  of  the  noise  stays  smaller  than  qj 2.  Homomorphic  addition  and  multiplication  increase  the 
noise  in  the  ciphertext.  Addition  of  two  ciphertexts  with  noise  at  most  B  results  in  a  ciphertext  with  noise  at 
most  2 B,  whereas  multiplication  results  in  a  noise  as  large  as  B2.  5  We  will  describe  a  noise-management 
technique  that  keeps  the  noise  in  check  by  reducing  it  after  homomorphic  operations,  without  bootstrapping. 

The  key  technical  tool  we  use  for  noise  management  is  the  “modulus  switching”  technique  developed  by 
Brakerski  and  Vaikuntanathan  [3].  Jumping  ahead,  we  note  that  while  they  use  modulus  switching  in  “one 
shot”  to  obtain  a  small  ciphertext  (to  which  they  then  apply  Gentry’s  bootstrapping  procedure),  we  will  use 
it  (iteratively,  gradually)  to  keep  the  noise  level  essentially  constant,  while  stingily  sacrificing  modulus  size 
and  gradually  sacrificing  the  remaining  homomorphic  capacity  of  the  scheme. 

Modulus  Switching.  The  essence  of  the  modulus-switching  technique  is  captured  in  the  following  lemma. 
In  words,  the  lemma  says  that  an  evaluator,  who  does  not  know  the  secret  key  s  but  instead  only  knows  a 
bound  on  its  length,  can  transform  a  ciphertext  c  modulo  q  into  a  different  ciphertext  modulo  p  while 
preserving  correctness  -  namely,  [(c7,s)]p  =  [(c,  s)],:;  mod  2.  The  transformation  from  c  to  c7  involves 
simply  scaling  by  (jp/q)  and  rounding  appropriately!  Most  interestingly,  if  s  is  short  and  p  is  sufficiently 
smaller  than  q,  the  “noise”  in  the  ciphertext  actually  decreases  -  namely,  |  [(c7,  s)]p|  <  |[(c,  s)]9|. 

Lemma  1.  Let  p  and  q  be  two  odd  moduli,  and  let  c  be  an  integer  vector.  Define  c'  to  be  the  integer  vector 
closest  to  ( p/q )  •  c  such  that  c!  =  c  mod  2.  Then,  for  any  s  with  |[(c,  s)]g|  <  q/2  —  ( q/p )  ■  ('i(s),  we  have 

[(c',s)]p  =  [<c,s)],  mod  2  and  | [(c7,  s)]p|  <  (p/q)  •  |[(c,  s)],|  +  G(s) 
where  ^i(s)  is  the  l\-norm  of  s. 

Proof.  For  some  integer  k,  we  have  [(c,  s)]q  =  (c,  s)  —  kq.  For  the  same  k,  let  ep  =  (c7.  s)  —  kp  G  Z.  Since 
c!  =  c  and  p  =  q  modulo  2,  we  have  ep  =  [(c,  s)]q  mod  2.  Therefore,  to  prove  the  lemma,  it  suffices  to 
prove  that  ep  =  [(c7,  s)]p  and  that  it  has  small  enough  norm.  We  have  ep  =  (p/q)[(c,  s)]g  +  (c7  —  (p/q) c,  s), 
and  therefore  |ep|  <  (p/q)[(c,  s)]g  +  (i(s)  <  p/2.  The  latter  inequality  implies  ep  =  [(c7,  s)]p.  □ 

Amazingly,  this  trick  permits  the  evaluator  to  reduce  the  magnitude  of  the  noise  without  knowing  the 
secret  key,  and  without  bootstrapping.  In  other  words,  modulus  switching  gives  us  a  very  powerful  and 
lightweight  way  to  manage  the  noise  in  FHE  schemes!  In  [3],  the  modulus  switching  technique  is  bundled 
into  a  “dimension  reduction”  procedure,  and  we  believe  it  deserves  a  separate  name  and  close  scrutiny.  It  is 
also  worth  noting  that  our  use  of  modulus  switching  does  not  require  an  “evaluation  key”,  in  contrast  to  [3]. 

Our  New  Noise  Management  Technique.  At  first,  it  may  look  like  modulus  switching  is  not  a  very 
effective  noise  management  tool.  If  p  is  smaller  than  q,  then  of  course  modulus  switching  may  reduce 
the  magnitude  of  the  noise,  but  it  reduces  the  modulus  size  by  essentially  the  same  amount.  In  short,  the 
ratio  of  the  noise  to  the  “noise  ceiling”  (the  modulus  size)  does  not  decrease  at  all.  Isn’t  this  ratio  what 
dictates  the  remaining  homomorphic  capacity  of  the  scheme,  and  how  can  potentially  worsening  (certainly 
not  improving)  this  ratio  do  anything  useful? 

In  fact,  it’s  not  just  the  ratio  of  the  noise  to  the  “noise  ceiling”  that’s  important.  The  absolute  magnitude 
of  the  noise  is  also  important,  especially  in  multiplications.  Suppose  that  q  «  xk,  and  that  you  have  two 
mod-q  SWHE  ciphertexts  with  noise  of  magnitude  x.  If  you  multiply  them,  the  noise  becomes  x2.  After 
4  levels  of  multiplication,  the  noise  is  x16.  If  you  do  another  multiplication  at  this  point,  you  reduce  the 
ratio  of  the  noise  ceiling  (i.e.  q)  to  the  noise  level  by  a  huge  factor  of  x16  -  i.e.,  you  reduce  this  gap  very 

5The  noise  after  multiplication  is  in  fact  a  bit  larger  than  B 2  due  to  the  additional  noise  from  the  BV  “re-linearization”  process. 
For  the  purposes  of  this  exposition,  it  is  best  to  ignore  this  minor  detail. 
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fast.  Thus,  the  actual  magnitude  of  the  noise  impacts  how  fast  this  gap  is  reduced.  After  only  log  k  levels  of 
multiplication,  the  noise  level  reaches  the  ceiling. 

Now,  consider  the  following  alternative  approach.  Choose  a  ladder  of  gradually  decreasing  moduli 
{qi  ~  q/x1}  for  i  <  k.  After  you  multiply  the  two  mod-q  ciphertexts,  switch  the  ciphertext  to  the  smaller 
modulus  q\  =  q/x.  As  the  lemma  above  shows,  the  noise  level  of  the  new  ciphertext  (now  with  respect  to 
the  modulus  q\)  goes  from  x 2  back  down  to  x.  (Let’s  suppose  for  now  that  (i\  (s)  is  small  in  comparison  to  x 
so  that  we  can  ignore  it.)  Now,  when  we  multiply  two  ciphertexts  (wrt  modulus  q\)  that  have  noise  level  x, 
the  noise  again  becomes  x2  ,  but  then  we  switch  to  modulus  q2  to  reduce  the  noise  back  to  x.  In  short,  each 
level  of  multiplication  only  reduces  the  ratio  (noise  ceiling)/(noise  level)  by  a  factor  of  x  (not  something  like 
x16).  With  this  new  approach,  we  can  perform  about  k  (not  just  log  A;)  levels  of  multiplication  before  we 
reach  the  noise  ceiling.  We  have  just  increased  (without  bootstrapping)  the  number  of  multiplicative  levels 
that  we  can  evaluate  by  an  exponential  factor! 

This  exponential  improvement  is  enough  to  achieve  leveled  FHE  without  bootstrapping.  For  any  poly¬ 
nomial  k,  we  can  evaluate  circuits  of  depth  k.  The  performance  of  the  scheme  degrades  with  k  -  e.g.,  we 
need  to  set  q  =  r/o  to  have  bit  length  proportional  to  k  -  but  it  degrades  only  polynomially  with  k. 

Our  main  observation  -  the  key  to  obtaining  FHE  without  bootstrapping  -  is  so  simple  that  it  is  easy 
to  miss  and  bears  repeating:  We  get  noise  reduction  automatically  via  modulus  switching,  and  by  carefully 
calibrating  our  ladder  of  moduli  {qi},  one  modulus  for  each  circuit  level,  to  be  decreasing  gradually,  we 
can  keep  the  noise  level  very  small  and  essentially  constant  from  one  level  to  the  next  while  only  gradually 
sacrificing  the  size  of  our  modulus  until  the  ladder  is  used  up.  With  this  approach,  we  can  efficiently  evaluate 
arbitrary  polynomial-size  arithmetic  circuits  without  resorting  to  bootstrapping. 

Performance-wise,  this  scheme  trounces  previous  (bootstrapping-based)  FHE  schemes  (at  least  asymp¬ 
totically;  the  concrete  performance  remains  to  be  seen).  Instantiated  with  ring-LWE,  it  can  evaluate  L-level 
arithmetic  circuits  with  per-gate  computation  ()(X  ■  L3)  -  i.e.,  computation  quasi-linear  in  the  security  pa¬ 
rameter.  Since  the  ratio  of  the  largest  modulus  (namely,  q  ~  xL)  to  the  noise  (namely,  x)  is  exponential  in 
L,  the  scheme  relies  on  the  hardness  of  approximating  short  vectors  to  within  an  exponential  in  L  factor. 

Bootstrapping  for  Better  Efficiency  and  Better  Assumptions.  The  per-gate  computation  of  our  FHE- 
without-bootstrapping  scheme  depends  polynomially  on  the  number  of  levels  in  the  circuit  that  is  being 
evaluated.  While  this  approach  is  efficient  (in  the  sense  of  “polynomial  time”)  for  polynomial-size  circuits, 
the  per-gate  computation  may  become  undesirably  high  for  very  deep  circuits.  So,  we  re-introduce  boot¬ 
strapping  as  an  optimization 6  that  makes  the  per-gate  computation  independent  of  the  circuit  depth,  and  that 
(if  one  is  willing  to  assume  circular  security)  allows  homomorphic  operations  to  be  performed  indefinitely 
without  needing  to  specify  in  advance  a  bound  on  the  number  of  circuit  levels.  The  main  idea  is  that  to 
compute  arbitrary  polynomial-depth  circuits,  it  is  enough  to  compute  the  decryption  circuit  of  the  scheme 
homomorphically.  Since  the  decryption  circuit  has  depth  ~  log  A,  the  largest  modulus  we  need  has  only 
0(A)  bits,  and  therefore  we  can  base  security  on  the  hardness  of  lattice  problems  with  quasi -polynomial 
factors.  Since  the  decryption  circuit  has  size  0( A)  for  the  RLWE-based  instantiation,  the  per-gate  computa¬ 
tion  becomes  0(A2)  (independent  of  L).  See  Section  5  for  details. 

Other  Optimizations.  We  also  consider  batching  as  an  optimization.  The  idea  behind  batching  is  to  pack 
multiple  plaintexts  into  each  ciphertext  so  that  a  function  can  be  homomorphically  evaluated  on  multiple 
inputs  with  approximately  the  same  efficiency  as  homomorphically  evaluating  it  on  one  input. 

6We  are  aware  of  the  seeming  irony  of  trumpeting  “FHE  without  bootstrapping”  and  then  proposing  bootstrapping  “as  an  opti¬ 
mization”.  First,  FHE  without  bootstrapping  is  exciting  theoretically,  independent  of  performance.  Second,  whether  bootstrapping 
actually  improves  performance  depends  crucially  on  the  number  of  levels  in  the  circuit  one  is  evaluating.  For  example,  for  circuits 
of  depth  sub-polynomial  in  the  security  parameter,  this  “optimization”  will  not  improve  performance  asymptotically. 
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An  especially  interesting  case  is  batching  the  decryption  function  so  that  multiple  ciphertexts  -  e.g.,  all 
of  the  ciphertexts  associated  to  gates  at  some  level  in  the  circuit  -  can  be  bootstrapped  simultaneously  very 
efficiently.  For  circuits  of  large  width  (say,  width  A),  batched  bootstrapping  reduces  the  per-gate  computation 
in  the  RLWE-based  instantiation  to  0(A),  independent  of  L.  We  give  the  details  in  Section  5. 

1.3  Other  Related  Work 

We  note  that  prior  to  Gentry's  construction,  there  were  already  a  few  interesting  homomorphic  encryp¬ 
tions  schemes  that  could  be  called  “somewhat  homomorphic”,  including  Boneh-Goh-Nissim  [2]  (evaluates 
quadratic  formulas  using  bilinear  maps),  (Aguilar  Melchor)-Gaborit-Flerranz  [15]  (evaluates  constant  degree 
polynomials  using  lattices)  and  Ishai-Paskin  [12]  (evaluates  branching  programs). 

2  Preliminaries 

Basic  Notation.  In  our  construction,  we  will  use  a  ring  R.  In  our  concrete  instantiations,  we  prefer  to  use 
either  R  =  Z  (the  integers)  or  the  polynomial  ring  R  =  Z[x]/ [xd  +  1),  where  d  is  a  power  of  2. 

We  write  elements  of  R  in  lowercase  -  e.g.,  r  £  R.  We  write  vectors  in  bold  -  e.g.,  v  £  R"  .  The  notation 
v[i]  refers  to  the  i-th  coefficient  of  v.  We  write  the  dot  product  of  u,  v  £  Rn  as  (u,  v)  =  u[i]  •  v [i]  £ 
R.  When  R  is  a  polynomial  ring,  ||r||  for  r  £  R  refers  to  the  Euclidean  norm  of  r’s  coefficient  vector.  We 
say  7 r  =  max{||a  •  6||/||a||  ||6||  :  a,  b  £  R}  is  the  expansion  factor  of  R.  For  R  =  Z[x]/ ( xd  +  1),  the  value 
of  7/j  is  at  most  \fd  by  Cauchy-Schwarz. 

For  integer  q,  we  use  Rq  to  denote  R/qR.  Sometimes  we  will  use  abuse  notation  and  use  Il>  to  denote 
the  set  of  77-elements  with  binary  coefficients  -  e.g.,  when  R  =  Z,  R2  may  denote  {0, 1},  and  when  R  is  a 
polynomial  ring,  R2  may  denote  those  polynomials  that  have  0/1  coefficients.  When  it  is  obvious  that  q  is 
not  a  power  of  two,  we  will  use  [log  g]  to  denote  1  +  [log  gj .  For  a  £  R,  we  use  the  notation  \a]q  to  refer 
to  a  mod  g,  with  coefficients  reduced  into  the  range  (— g/2,  g/2]. 

Leveled  Fully  Homomorphic  Encryption.  Most  of  this  paper  will  focus  on  the  construction  of  a  leveled 
fully  homomorphic  scheme,  in  the  sense  that  the  parameters  of  the  scheme  depend  (polynomially)  on  the 
depth  of  the  circuits  that  the  scheme  is  capable  of  evaluating. 

Definition  1  (Leveled  Fully  Homomorphic  Encryption  [7]).  We  say  that  a  family  of  homomorphic  encryption 
schemes  { £ 1  1  :  L  £  Z+}  is  leveled  fully  homomorphic  if  for  all  L  £  Z+,  they  all  use  the  same  decryption 
circuit,  £l  r‘-  compactly  evaluates  all  circuits  of  depth  at  most  L  ( that  use  some  specified  complete  set  of 
gates),  and  the  computational  complexity  of  £{  r'!  ’s  algorithms  is  polynomial  ( the  same  polynomial  for  all 
L)  in  the  security  parameter,  L,  and  (in  the  case  of  the  evaluation  algorithm)  the  size  of  the  circuit. 

2.1  The  Learning  with  Errors  (LWE)  Problem 

The  learning  with  errors  (LWE)  problem  was  introduced  by  Regev  [17].  It  is  defined  as  follows. 

Definition  2  (LWE).  For  security  parameter  A,  letn  =  n(  A)  be  an  integer  dimension,  let  q  =  q(  A)  >  2  be  an 
integer,  and  let  %  =  x(A)  be  a  distribution  over  Z.  The  LWEr)f/:X  problem  is  to  distinguish  the  following  two 
distributions:  In  the  first  distribution,  one  samples  (a  j,  bf)  uniformly  from  Z”+1.  In  the  second  distribution, 
one  first  draws  s  G-  Z”  uniformly  and  then  samples  (a i,bf)  £  Z”+1  by  sampling  a*  •£-  Z™  uniformly, 
e,  •£-  x>  and  setting  bi  =  (a,  s)  +  e*.  The  LWEn  fy  x  assumption  is  that  the  LWE„)(?iX  problem  is  infeasible. 

Regev  [17]  proved  that  for  certain  moduli  q  and  Gaussian  error  distributions  7,  the  LWEn)1J)X  assumption 
is  hue  as  long  as  certain  worst-case  lattice  problems  are  hard  to  solve  using  a  quantum  algorithm.  We  state 
this  result  using  the  terminology  of  //-bounded  distributions,  which  is  a  distribution  over  the  integers  where 
the  magnitude  of  a  sample  is  bounded  with  high  probability.  A  definition  follows. 
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Definition  3  ( /j-bounded  distributions).  A  distribution  ensemble  {x™}neN>  supported  over  the  integers,  is 
called  B-bounded  if 

Pr  [|e|  >  B]  =  negl(n)  . 
e<-X« 

We  can  now  state  Regev’s  worst-case  to  average-case  reduction  for  LWE. 

Theorem  1  (Regev  [17]).  For  any  integer  dimension  n,  prime  integer  q  =  q(n),  and  B  =  B(n)  >  2 n,  there 
is  an  efficiently  samplable  B-bounded  distribution  x  such  that  if  there  exists  an  efficient  (possibly  quan¬ 
tum)  algorithm  that  solves  LWEn(J.x,  then  there  is  an  efficient  quantum  algorithm  for  solving  0(qn15  /  B)- 
approximate  worst-case  SIVP  and  gapSVP. 

Peikert  [16]  de-quantized  Regev’s  results  to  some  extent  -  that  is,  he  showed  the  LWEn)1JiX  assumption 
is  true  as  long  as  certain  worst-case  lattice  problems  arc  hard  to  solve  using  a  classical  algorithm.  (See  [16] 
for  a  precise  statement  of  these  results.) 

Applebaum  et  al.  [1]  showed  that  if  LWE  is  hard  for  the  above  distribution  of  s,  then  it  is  also  hard  when 
s’s  coefficients  are  sampled  according  to  the  noise  distribution  x- 

2.2  The  Ring  Learning  with  Errors  (RLWE)  Problem 

The  ring  learning  with  errors  (RLWE)  problem  was  introduced  by  Lyubaskevsky,  Peikert  and  Regev  [14]. 
We  will  use  an  simplified  special-case  version  of  the  problem  that  is  easier  to  work  with  [18,  4], 

Definition  4  (RLWE).  For  security  parameter  A,  let  f(x)  =  xd  +  1  where  d  =  d(  A)  is  a  power  of  2.  Let 
q  =  q( A)  >2  be  an  integer.  Let  R  =  Z [x\/(f(x))  and  let  Rq  =  R/qR.  Let  x  =  x(A)  be  a  distribution  over 
R.  The  RLWEdi(?jX  problem  is  to  distinguish  the  following  two  distributions:  In  the  first  distribution,  one 
samples  ( cq ,  bf)  uniformly  from  R^.  In  the  second  distribution,  one  first  draws  s  <—  Rquniformly  and  then 
samples  ( a* ,  bf)  £  Rq  by  sampling  a%  £-  uniformly,  e,  •£-  x>  and  setting  bi  =  a*  •  s  +  et.  The  RLWE^?)X 
assumption  is  that  the  RLWE,/,/A  problem  is  infeasible. 

The  RLWE  problem  is  useful,  because  the  well-established  shortest  vector  problem  (SVP)  over  ideal 
lattices  can  be  reduced  to  it,  specifically: 

Theorem  2  (Lyubashevsky-Peikert-Regev  [14]).  For  any  d  that  is  a  power  of  2,  ring  R  =  Z [x]  / (xd  +  1), 
prime  integer  q  =  q(d)  =  1  mod  d,  and  B  =  t o{y/d log d),  there  is  an  efficiently  samplable  distribution  x 
that  outputs  elements  of  R  of  length  at  most  B  with  overwhelming  probability,  such  that  if  there  exists  an 
efficient  algorithm  that  solves  RLWEd)(J,x,  then  there  is  an  efficient  quantum  algorithm  for  solving  duly1^  ■ 
(q/ B) -approximate  worst-case  SVP  for  ideal  lattices  over  R. 

Typically,  to  use  RLWE  with  a  cryptosystem,  one  chooses  the  noise  distribution  x  according  to  a  Gaus¬ 
sian  distribution,  where  vectors  sampled  according  to  this  distribution  have  length  only  poly ( r/)  with  over¬ 
whelming  probability.  This  Gaussian  distribution  may  need  to  be  “ellipsoidal”  for  certain  reductions  to  go 
through  [14].  It  has  been  shown  for  RLWE  that  one  can  equivalently  assume  that  s  is  alternatively  sampled 
from  the  noise  distribution  x  [14]. 

2.3  The  General  Learning  with  Errors  (GLWE)  Problem 

The  learning  with  errors  (LWE)  problem  and  the  ring  learning  with  errors  problem  RLWE  are  syntactically 
identical,  aside  from  using  different  rings  (Z  versus  a  polynomial  ring)  and  different  vector  dimensions  over 
those  rings  (n  =  poly(A)  for  LWE,  but  n  is  constant  -  namely,  1  -  in  the  RLWE  case).  To  simplify  our 
presentation,  we  define  a  “General  Learning  with  Errors  (GLWE)”  Problem,  and  describe  a  single  “GLWE- 
based”  FHE  scheme,  rather  than  presenting  essentially  the  same  scheme  twice,  once  for  each  of  our  two 
concrete  instantiations. 
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Definition  5  (GLWE).  For  security  parameter  A,  let  n  =  n( A)  be  an  integer  dimension,  let  f(x)  =  xd  +  1 
where  d  =  d(  A)  is  a  power  of  2,  let  q  =  q(  A)  >2  be  a  prime  integer,  let  R  =  Z[x\/(f(x))  and  Rq  =  R/qR, 
and  let  x  =  x(^)  be  a  distribution  over  R.  The  GLWE„j^x  problem  is  to  distinguish  the  following  two 
distributions:  In  the  first  distribution,  one  samples  (a*,  bfj  uniformly  from  Rq+1.  In  the  second  distribution, 
one  first  draws  s  4—  R™  uniformly  and  then  samples  (a i,b/)  6  Rq+1  by  sampling  a,  4—  i?”  uniformly, 
ei  4—  x>  and  setting  bi  =  (a.j,s)  +  e*.  The  GLWEnj9  X  assumption  is  that  the  GLWEnj?x  problem  is 
infeasible. 

LWE  is  simply  GLWE  instantiated  with  d  =  1.  RLWE  is  GLWE  instantiated  with  n  =  1.  Interestingly,  as 
far  as  we  know,  instances  of  GLWE  between  these  extremes  have  not  been  explored.  One  would  suspect 
that  GLWE  is  hard  for  any  (n,  d)  such  that  n  •  d  =  Q(A  log (q/B)),  where  B  is  a  bound  (with  overwhelming 
probability)  on  the  length  of  elements  output  by  y.  For  fixed  n  ■  d,  perhaps  GLWE  gradually  becomes  harder 
as  n  increases  (if  it  is  true  that  general  lattice  problems  are  harder  than  ideal  lattice  problems),  whereas 
increasing  d  is  probably  often  preferable  for  efficiency. 

If  q  is  much  larger  than  If  the  associated  GLWE  problem  is  believed  to  be  easier  (i.e.,  there  is  less 
security).  Previous  FHE  schemes  required  q/B  to  be  sub-exponential  in  n  or  d  to  give  room  for  the  noise 
to  grow  as  homomorphic  operations  (especially  multiplication)  arc  performed.  In  our  FHE  scheme  without 
bootstrapping,  q/B  will  be  exponential  in  the  number  of  circuit  levels  to  be  evaluated.  However,  since 
the  decryption  circuit  can  be  evaluated  in  logarithmic  depth,  the  bootstrapped  version  of  our  scheme  will 
only  need  q/B  to  be  quasi -polynomial,  and  we  thus  base  security  on  lattice  problems  for  quasi-polynomial 
approximation  factors. 

The  GLWE  assumption  implies  that  the  distribution  {(a*,  (a,,  s)  +  t  ■  e% ) }  is  computational  indistinguish¬ 
able  from  uniform  for  any  t  relatively  prime  to  q.  This  fact  will  be  convenient  for  encryption,  where,  for 
example,  a  message  m  may  be  encrypted  as  (a,  (a,  s)  +  2e  +  m),  and  this  fact  can  be  used  to  argue  that  the 
second  component  of  this  message  is  indistinguishable  from  random. 

3  (Leveled)  FHE  without  Bootstrapping:  Our  Construction 

The  plan  of  this  section  is  to  present  our  leveled  FHE-without-bootstrapping  construction  in  modular  steps. 
First,  we  describe  a  plain  GLWE-based  encryption  scheme  with  no  homomorphic  operations.  Next,  we 
describe  variants  of  the  “re linearization”  and  “dimension  reduction”  techniques  of  [3],  Finally,  in  Section 
3.4,  we  lay  out  our  construction  of  FHE  without  bootstrapping. 

3.1  Basic  Encryption  Scheme 

We  begin  by  presenting  a  basic  GLWE-based  encryption  scheme  with  no  homomorphic  operations.  Let  A  be 
the  security  parameter,  representing  2A  security  against  known  attacks.  (A  =  100  is  a  reasonable  value.) 

Let  R  =  R( A)  be  a  ring.  For  example,  one  may  use  R  =  Z  if  one  wants  a  scheme  based  on  (standard) 
LWE,  or  one  may  use  R  =  Z [x\/ f(x)  where  (e.g.)  f(x)  =  xd  +  1  and  d  =  d( A)  is  a  power  of  2  if  one  wants 
a  scheme  based  on  RLWE.  Let  the  “dimension”  n  =  n{ A),  an  odd  modulus  q  =  q( A),  a  “noise”  distribution 
y  =  x(A)  over  R,  and  an  integer  N  =  N(X)  be  additional  parameters  of  the  system.  These  parameters 
come  from  the  GLWE  assumption,  except  for  N,  which  is  set  to  be  larger  than  (2 n  +  1)  log q.  Note  that 
n  =  1  in  the  RLWE  instantiation.  For  simplicity,  assume  for  now  that  the  plaintext  space  is  if  2  =  R/2R, 
though  larger  plaintext  spaces  are  certainly  possible. 

We  go  ahead  and  stipulate  here  -  even  though  it  only  becomes  important  when  we  introduce  homomor¬ 
phic  operations  -  that  the  noise  distribution  x  is  set  to  be  as  small  as  possible.  Specifically,  to  base  security 
on  LWE  or  GLWE,  one  must  use  (typically  Gaussian)  noise  distributions  with  deviation  at  least  some  sub- 
linear  function  of  d  or  n,  and  we  will  let  x  he  a  noise  distribution  that  barely  satisfies  that  requirement.  To 
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achieve  2A  security  against  known  lattice  attacks,  one  must  have  n-d  =  fi(  A  •  log  (q/B))  where  B  is  a  bound 
on  the  length  of  the  noise.  Since  n  or  d  depends  logarithmically  on  q,  and  since  the  distribution  %  (and  hence 
B )  depends  sub-linearly  on  n  or  d,  the  distribution  x  (and  hence  B)  depends  sub-logarithmically  on  q.  This 
dependence  is  weak,  and  one  should  think  of  the  noise  distribution  as  being  essentially  independent  of  q. 

Here  is  a  basic  GLWE-based  encryption  scheme  with  no  homomorphic  operations: 

Basic  GLWE-Based  Encryption  Scheme: 

•  E.Setup(lA,  1M,  b):  Use  the  bit  b  E  {0, 1}  to  determine  whether  we  are  setting  parameters  for  a  LWE- 
based  scheme  (where  d  =  1)  or  a  RLWE-based  scheme  (where  n  =  1).  Choose  a  //-bit  modulus  q  and 
choose  the  other  parameters  (d  =  d( A,  /./,,  b),  n  =  n( A,  p,  b),  N  =  \ (2 n  +  1)  log  q\,  x  =  x(A,  p,  6)) 
appropriately  to  ensure  that  the  scheme  is  based  on  a  GLWE  instance  that  achieves  2A  security  against 
known  attacks.  Let  R  =  Z[x]/(xd  +  1)  and  let  params  =  ( q ,  d,  n,  N,  %). 

•  E.SecretKeyGen (params):  Draw  s'  <—  xn ■  Set  sk  =  s  (1,  s' [1] , . . . ,  s'  ri  )  E  i?”+1. 

•  E.PublicKeyGen(pa?’ams,  sk):  Takes  as  input  a  secret  key  sk  =  s  =  (l,s')  with  s[0]  =  1  and 
s'  E  Rg  and  the  params.  Generate  matrix  A'  <—  R^xn  uniformly  and  a  vector  e  xN  and  set 
b  4—  A's'  +  2e.  Set  A  to  be  the  (n  +  1  (-column  matrix  consisting  of  b  followed  by  the  n  columns  of 
—A'.  (Observe:  A  •  s  =  2e.)  Set  the  public  key  pk  =  A. 

•  E.Enc (params, pk,m):  To  encrypt  a  message  m  E  R2,  set  m  •(—  (m,  0, . . . ,  0)  E  Rg+1,  sample 
r  ■(—  Ro  and  output  the  ciphertext  c  4-  m  +  Arr  E 

•  E.D ec  (params,  sk ,  c):  Output  m  [[(c,  s)]?]2- 

CoiTectness  is  easy  to  see,  and  it  is  straightforward  to  base  security  on  special  cases  (depending  on  the 
parameters)  of  the  GLWE  assumption  (and  one  can  find  such  proofs  of  special  cases  in  prior  work). 

3.2  Key  Switching  (Dimension  Reduction) 

We  start  by  reminding  the  reader  that  in  the  basic  GLWE-based  encryption  scheme  above,  the  decryption 
equation  for  a  ciphertext  c  that  encrypts  m  under  key  s  can  be  written  as  m  =  [[Lc(s)]9]2  where  Lc(x)  is  a 
ciphertext-dependent  linear  equation  over  the  coefficients  of  x  given  by  Lc(x)  =  (c,  x). 

Suppose  now  that  we  have  two  ciphertexts  ci  and  C2,  encrypting  rri\  and  m2  respectively  under  the 
same  secret  key  s.  The  way  homomorphic  multiplication  is  accomplished  in  [3]  is  to  consider  the  quadratic 
equation  QcljC2(x)  LCl(x)  •  LC2(x).  Assuming  the  noises  of  the  initial  ciphertexts  are  small  enough,  we 
obtain  m\  ■  m2  =  [Qci,c2(s)]<?]2.  as  desired.  If  one  wishes,  one  can  view  QCl,C2(x)  as  a  linear  equation 
Lc (x<8>x)  over  the  coefficients  of  x<8>x  -  that  is,  the  tensoring  of  x  with  itself  -  where  x<8>x’s  dimension 
is  roughly  the  square  of  x’s.  Using  this  interpretation,  the  ciphertext  represented  by  the  coefficients  of  the 
lineal-  equation  Llon9  is  decryptable  by  the  long  secret  key  si  <8>  si  via  the  usual  dot  product.  Of  course,  we 
cannot  continue  increasing  the  dimension  like  this  indefinitely  and  preserve  efficiency. 

Thus,  Brakerski  and  Vaikuntanathan  convert  the  long  ciphertext  represented  by  the  linear  equation  Llon9 
and  decryptable  by  the  long  tensored  secret  key  si  <8>  si  into  a  shorter  ciphertext  C2  that  is  decryptable  by  a 
different  secret  key  S2.  (The  secret  keys  need  to  be  different  to  avoid  a  “circular  security”  issue).  Encryptions 
of  si  <8>  si  under  S2  are  provided  in  the  public  key  as  a  “hint”  to  facilitate  this  conversion. 

We  observe  that  Brakerski  and  Vaikuntanathan ’s  relinearization  /  dimension  reduction  procedures  are 
actually  quite  a  bit  more  general.  They  can  be  used  to  not  only  reduce  the  dimension  of  the  ciphertext,  but 
more  generally,  can  be  used  to  transform  a  ciphertext  ci  that  is  decryptable  under  one  secret  key  vector  si  to 
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a  different  ciphertext  C2  that  encrypts  the  same  message,  but  is  now  decryptable  under  a  second  secret  key 
vector  S2-  The  vectors  C2,  S2  may  not  necessarily  be  of  lower  degree  or  dimension  than  ci,  si. 

Below,  we  review  the  concrete  details  of  Brakerski  and  Vaikuntanathan’s  key  switching  procedures.  The 
procedures  will  use  some  subroutines  that,  given  two  vectors  c  and  s,  “expand”  these  vectors  to  get  longer 
(higher-dimensional)  vectors  c'  and  s'  such  that  (c',  s')  =  (c,  s)  mod  q.  We  describe  these  subroutines  first. 

•  BitDecomp(x  G  /?” ,  q)  decomposes  x  into  its  bit  representation.  Namely,  write  x  =  ^'=0^  ^  '  ui’ 
where  all  of  the  vectors  Uj  are  in  Rif  and  output  (uo,  Ui, . . . ,  upog(Jj )  G  /([  ^log9^ . 

•  Powersof2(x  G  Rq,  q)  outputs  the  vector  (x,  2  •  x, . . . ,  2 Lloe 'S'J  •  x)  G  Rq  ^log^ . 

If  one  knows  a  priori  that  x  has  coefficients  in  [0,  B]  for  B  <C  q,  then  BitDecomp  can  be  optimized  in 
the  obvious  way  to  output  a  shorter  decomposition  in  R 'J,  ^log  !1  .  Observe  that: 

Lemma  2.  For  vectors  c,  s  of  equal  length,  we  have  (BitDecomp(c,  q ),  Powersof2(s,  q))  =  (c,  s)  mod  q. 
Proof. 


U°g?J  LioggJ  /U°g<?J  \ 

(BitDecomp(c,  q),  Powersof2(s,  q))  =  E<  Uj ,  2- i  ■  s  )  =  Y  ^  '  uj,  s)  =  /  2J  ‘  ui> s  /  =  (c>  s)  • 

3= 0  3= 0  \  3= 0  / 


□ 


We  remark  that  this  obviously  generalizes  to  decompositions  wrt  bases  other  than  the  powers  of  2. 

Now,  key  switching  consists  of  two  procedures:  first,  a  procedure  SwitchKeyGen(si,  S2,  n\,  ri2,  q), 
which  takes  as  input  the  two  secret  key  vectors  as  input,  the  respective  dimensions  of  these  vectors,  and 
the  modulus  q,  and  outputs  some  auxiliary  information  tSi_s.S2  that  enables  the  switching;  and  second,  a 
procedure  Switch  Key  (rsl_>.S2,  Ci,  n\,  ri2,  q),  that  takes  this  auxiliary  information  and  a  ciphertext  encrypted 
under  si  and  outputs  a  new  ciphertext  C2  that  encrypts  the  same  message  under  the  secret  key  S2.  (Below, 
we  often  suppress  the  additional  arguments  n  1 .  riq ,  q.) 

Switch KeyGen(si  G  Rff  ,  S2  G  i?” 2): 

1.  Run  A  -t—  E.PublicKeyGen(s2,  N)  for  N  =  m  •  [log  q] . 

2.  Set  B  <—  A  +  Powersof2(si)  (Add  Powersof2(si)  G  Rq  to  A’s  first  column.)  Output  rsl^.S2  =  B. 

Switch  Key  (tSi_*.S2,  ci):  Output  C2  =  BitDecomp(ci)7  •  B  G  i?”2. 

Note  that,  in  SwitchKeyGen,  the  matrix  A  basically  consists  of  encryptions  of  0  under  the  key  S2.  Then, 
pieces  of  the  key  si  arc  added  to  these  encryptions  of  0.  Thus,  in  some  sense,  the  matrix  B  consists  of 
encryptions  of  pieces  of  si  (in  a  certain  format)  under  the  key  S2.  We  now  establish  that  the  key  switching 
procedures  arc  meaningful,  in  the  sense  that  they  preserve  the  correctness  of  decryption  under  the  new  key. 

Lemma  3.  [Correctness]  Let  si,  S2,  q,  n\,  n,2,  A,  B  =  tSi^>S2  be  as  in  SwitchKeyGen(si,  S2),  and  let 
A  •  S2  =  2e2  G  Rq  .  Let  ci  G  Rq1  and  C2  Switch  Key  (rSl^.S2,  ci).  Then, 

(c2,  s2)  =  2  (BitDecomp(ci),  e2)  +  (ci,  si)  mod  q 
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Proof. 


(c2,  S2)  =  BitDecomp(ci)1  •  B  •  S2 

=  BitDecomp(ci)T  •  (2e2  +  Powersof2(si)) 

=  2  (BitDecomp(ci),  e2)  +  (BitDecomp(ci),  Powersof2(si)} 

=  2  (BitDecomp(ci),  e2)  +  (ci,  si) 

□ 

Note  that  the  dot  product  of  BitDecomp(ci)  and  e2  is  small,  since  BitDecomp(ci)  is  in  Rtf .  Overall,  we 
have  that  C2  is  a  valid  encryption  of  m  under  key  S2,  with  noise  that  is  larger  by  a  small  additive  factor. 

3.3  Modulus  Switching 

Suppose  c  is  a  valid  encryption  of  m  under  s  modulo  q  (i.e.,  m  =  [[(c,  s ) ] ^ ] 2 ) •,  and  that  s  is  a  short  vector. 
Suppose  also  that  c7  is  basically  a  simple  scaling  of  c  -  in  particular,  c!  is  the  f?-ve ctor  closest  to  (p/q)  ■  c 
such  that  c7  =  c  mod  2.  Then,  it  turns  out  (subject  to  some  qualifications)  that  c7  is  a  valid  encryption  of 
m  under  s  modulo  p  using  the  usual  decryption  equation  -  that  is,  m  =  [[(c7,  s)]^!  In  other  words,  we 
can  change  the  inner  modulus  in  the  decryption  equation  -  e.g.,  to  a  smaller  number  -  while  preserving  the 
correctness  of  decryption  under  the  same  secret  key !  The  essence  of  this  modulus  switching  idea,  a  valiant 
of  Brakerski  and  Vaikuntanathan’s  modulus  reduction  technique,  is  formally  captured  in  Lemma  4  below. 

Definition  6  (Scale).  For  integer  vector  x  and  integers  q  >  p  >  m,  we  define  x7  <—  Scale(x,  q,p,  r )  to  be 
the  R-vector  closest  to  (p/q)  •  x  that  satisfies  x7  =  x  mod  r. 

/  o\ 

Definition  7  (£\  norm).  The  (usual)  norm  t\  (s)  over  the  reals  equals  ||s[i]||.  We  extend  this  to  our 
ring  R  as  follows:  6^  (s  )for  s  £  Rn  is  defined  as  ||s[i]  ||. 

Lemma  4.  Let  d  be  the  degree  of  the  ring  (e.g.,  d  =  1  when  R  =  Z).  Let  q  >  p  >  r  be  positive 

integers  satisfying  q  =  p  =  1  mod  r.  Let  c  £  Rn  and  c'  <—  Scale(c,  q,p,  r).  Then,  for  any  s  £  Rn  with 

||[(c,s)]5||  <  q/2  -  ( q/p )  •  (r/2)  •  Vd-'y(R)  -i[H\s),  we  have 

[(e7,s)]p  =  [(c,s )],  mod  r  and  || [(c7,  s)]p||  <  (p/q)  ■  ||[(c,s)]9||  +  (r/2)  •  Vd  ■  'y(R)  ■  e[R) (s) 

Proof.  (Lemma  4)  We  have 

[(c,s)]g  =  (c,s)  -  kq 

for  some  k  £  II.  For  the  same  k,  let 

ep  =  (c7,  s)  —  kp  £  R 

Note  that  ep  =  [(c7,  s)]p  mod  p.  We  claim  that  ||ep||  is  so  small  that  ep  =  [(c7,  s)]p.  We  have: 

l|eP||  =  ||  -  kp  +  ((p/q)  •  c,  s)  +  (c7  -  (p/q)  ■  c,  s)  || 

<  II  -  kp  +  ((p/q)  ■  c,  s)  ||  +  ||  (c7  -  (p/q)  ■  c,  s)  || 

n 

<  (P/Q)  ■  ||[<c,s)y  +j(R)  •  5^  ||c'[j]  -  (p/q)  ■  c[j]  ||  •  ||s[j]|| 

3= 1 

<  (p/q)  •  ll[(c,s)]g||  +7(i?)  •  (r/2)  •  Vd-e[R)( s) 

<  p/ 2 

Furthermore,  modulo  r,  we  have  [(c7,  s)]p  =  ep  =  (c7,  s)  —  kp  =  (c,  s)  —  kq  =  [(c,  s)],j.  □ 
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The  lemma  implies  that  an  evaluator,  who  does  not  know  the  secret  key  but  instead  only  knows  a  bound 
on  its  length,  can  potentially  transform  a  ciphertext  c  that  encrypts  m  under  key  s  for  modulus  q  -  i.e.,  m  = 
[[(c,  s)]9]r  -  into  a  ciphertext  c  that  encrypts  m  under  the  same  key  s  for  modulus  p  -  i.e.,  rn  =  [[(c,  s)]p]r. 
Specifically,  the  following  corollary  follows  immediately  from  Lemma  4. 

Corollary  1.  Let  p  and  q  be  two  odd  moduli.  Suppose  c  is  an  encryption  of  bit  m  under  key  s  for  modulus  q  - 
i.e.,  m  =  [[(c,  s)]q]r.  Moreover,  suppose  that  s  is  a  fairly  short  key  and  the  “noise"  eq  4—  [(c,  s)]9  has  small 
magnitude -precisely,  assume  that  \\eq\\  <  q/2-(q/p)-(r /2)-\fd-y(R)-l^R\s).  Then  c'  4—  Scale(c,  q,p,  r) 
is  an  encryption  of  of  bit  m  under  key  s  for  modulus  p  -  i.e.,  m  =  [[(c,  s)]p]r.  The  noise  ep  =  [(c',  s)]p  of 
the  new  ciphertext  has  magnitude  at  most  ( p/q )  •  ||[(c,s)]/|  +  y(R)  ■  (r/2)  •  \fd  ■  d[R\s). 

Amazingly,  assuming  p  is  smaller  than  q  and  s  has  coefficients  that  are  small  in  relation  to  q,  this  trick 
permits  the  evaluator  to  reduce  the  magnitude  of  the  noise  without  knowing  the  secret  key!  (Of  course,  this 
is  also  what  Gentry’s  bootstrapping  transformation  accomplishes,  but  in  a  much  more  complicated  way.) 

3.4  (Leveled)  FHE  Based  on  GLWE  without  Bootstrapping 

We  now  present  our  FHE  scheme.  Given  the  machinery  that  we  have  described  in  the  previous  subsections, 
the  scheme  itself  is  remarkably  simple. 

In  our  scheme,  we  will  use  a  parameter  L  indicating  the  number  of  levels  of  arithmetic  circuit  that  we 
want  our  FHE  scheme  to  be  capable  of  evaluating.  Note  that  this  is  an  exponential  improvement  over  prior 
schemes,  that  would  typically  use  a  parameter  d  indicating  the  degree  of  the  polynomials  to  be  evaluated. 
(Note:  the  linear  polynomial  Llon9,  used  below,  is  defined  in  Section  3.2.) 

Our  FHE  Scheme  without  Bootstrapping: 


•  FHE.Setup(lA,  lL .  b):  Takes  as  input  the  security  parameter,  a  number  of  levels  L,  and  a  bit  b.  Use 
the  bit  b  6  {0, 1}  to  determine  whether  we  arc  setting  parameters  for  a  LWE-based  scheme  (where 
d  =  1)  or  a  RLWE-based  scheme  (where  n  =  1).  Let  p  =  p(\ ,L,b)  =  0(logA  +  logL)  be  a 
parameter  that  we  will  specify  in  detail  later.  For  j  =  L  (input  level  of  circuit)  to  0  (output  level),  run 
paramsj  4—  E.Setup(lA,  l^+1)'/i,  b)  to  obtain  a  ladder  of  decreasing  moduli  from  qi  ((L  +  1)  •  p 
bits)  down  to  qo  (p  bits).  For  j  =  L  —  1  to  0,  replace  the  value  of  dj  in  paramsj  with  d  =  dj.  and  the 
distribution  Xj  with  X  =  XL-  (That  is,  the  ring  dimension  and  noise  distribution  do  not  depend  on  the 
circuit  level,  but  the  vector  dimension  rij  still  might.) 


•  FHE. 
1. 

2. 

3. 

4. 


KeyGen ({paramsj}):  For  j  =  L  down  to  0,  do  the  following: 

Run  Sj  E .  Sec  ret  K  ey  G  e  n  (par  arris  3 )  and  Aj  4—  E.PublicKeyGen(paramSj,  Sj). 

Set  Sj  4 —  Sj  (g)  Sj  €  Rqj  2  J .  That  is,  s'  is  a  tensoring  of  s j  with  itself  whose  coefficients  arc 
each  the  product  of  two  coefficients  of  s j  in  Rqj . 

Set  s”  BitDecomp(s'-,  qj). 

Run  ts'!  _ .  4—  SwitchKeyGen(s",  Sj_i).  (Omit  this  step  when  j  =  L.) 

j-\-l  J  J 


The  secret  key  sk  consists  of  the  s/s  and  the  public  key  pk  consists  of  the  A/s  and  ts»+i^Sj ’s. 


•  FHE.Enc(params,pfc,  rn):  Take  a  message  in  f?2-  Run  E.Enc(A^,m). 


•  FHE.Dec(pa?’ams,  sk,  c):  Suppose  the  ciphertext  is  under  key  s j.  Run  E.Dec(sj,  c).  (The  ciphertext 
could  be  augmented  with  an  index  indicating  which  level  it  belongs  to.) 
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•  FHE.Add(pfc,  ci,  C2):  Takes  two  ciphertexts  encrypted  under  the  same  s j.  (If  they  are  not  initially, 
use  FHE. Refresh  (below)  to  make  it  so.)  Set  C3  •(—  ci  +  C2  mod  qr  Interpret  C3  as  a  ciphertext  under 
s'  (s' ’s  coefficients  include  all  of  s;’s  since  s'  =  sy  0  s j  and  s/s  first  coefficient  is  1)  and  output: 

c4  <r-  FFIE.Refresh(c3,T8//_).s  ,qj,qj-i) 

3  J 

•  FHE.Mult(p/c,  ci, C2):  Takes  two  ciphertexts  encrypted  under  the  same  s j.  If  they  are  not  initially, 
use  FFH  E. Refresh  (below)  to  make  it  so.)  First,  multiply:  the  new  ciphertext,  under  the  secret  key 
s'  =  s j  0  s j,  is  the  coefficient  vector  C3  of  the  linear  equation  Lc°"c2  (x  0  x).  Then,  output: 

c4  F-  FFIE.Refresh(c3,  Tg/./^g  ,  qj,  qj-i) 

3  J 

•  FHE.Refresh(c,  rs//_^s  ,  qj,  qj~i)-  Takes  a  ciphertext  encrypted  under  s'-,  the  auxiliary  information 

j  0  J 

rs"  >s  (  to  facilitate  key  switching,  and  the  current  and  next  moduli  q,  and  qj- 1.  Do  the  following: 

j  3 

1.  Expand:  Set  c4  Powersof2(c,  qj).  (Observe:  ^c4,s''^  =  ^c,  s'-^  mod  qj  by  Lemma  2.) 

2.  Switch  Moduli:  Set  C2  Scale(c4,  qj,  qj-i,  2),  a  ciphertext  under  the  key  s''  for  modulus  qj-\. 

3.  Switch  Keys:  Output  C3  Switch  Key  (rs"_>K  ^  ,  C2,  qj- 1),  a  ciphertext  under  the  key  Sj-\  for 

3  3 

modulus  qj- 1. 


Remark  1.  We  mention  the  obvious  fact  that,  since  addition  increases  the  noise  much  more  slowly  than 
multiplication,  one  does  not  necessarily  need  to  refresh  after  additions,  even  high  fan-in  ones. 

The  key  step  of  our  new  FHE  scheme  is  the  Refresh  procedure.  If  the  modulus  qj-i  is  chosen  to  be 
smaller  than  qj  by  a  sufficient  multiplicative  factor,  then  Corollary  1  implies  that  the  noise  of  the  ciphertext 
output  by  Refresh  is  smaller  than  that  of  the  input  ciphertext  -  that  is,  the  ciphertext  will  indeed  be  a 
“refreshed”  encryption  of  the  same  value.  We  elaborate  on  this  analysis  in  the  next  section. 

One  can  reasonably  argue  that  this  scheme  is  not  “FHE  without  bootstrapping”  since  rs//_^s  .  0  can  be 

__  3 3 

viewed  as  an  encrypted  secret  key,  and  the  Switch  Key  step  can  viewed  as  a  homomorphic  evaluation  of  the 
decryption  function.  We  prefer  not  to  view  the  Switch  Key  step  this  way.  While  there  is  some  high-level 
resemblance,  the  low-level  details  arc  very  different,  a  difference  that  becomes  tangible  in  the  much  better 
asymptotic  performance.  To  the  extent  that  it  performs  decryption.  Switch  Key  does  so  very  efficiently  using 
an  efficient  (not  bit-wise)  representation  of  the  secret  key  that  allows  this  step  to  be  computed  in  quasi-linear 
time  for  the  RLWE  instantiation,  below  the  quadratic  lower  bound  for  bootstrapping.  Certainly  Switch  Key 
does  not  use  the  usual  ponderous  approach  of  representing  the  decryption  function  as  a  boolean  circuit  to 
be  traversed  homomorphically.  Another  difference  is  that  the  Switch  Key  step  does  not  actually  reduce  the 
noise  level  (as  bootstrapping  does);  rather,  the  noise  is  reduced  by  the  Scale  step. 

4  Correctness,  Setting  the  Parameters,  Performance,  and  Security 

Here,  we  will  show  how  to  set  the  parameters  of  the  scheme  so  that  the  scheme  is  correct.  Mostly,  this 
involves  analyzing  each  of  the  steps  within  FHE. Add  and  FHE. Mult  -  namely,  the  addition  or  multiplication 
itself,  and  then  the  Powersof2,  Scale  and  Switch  Key  steps  that  make  up  FHE.  Refresh  -  to  establish  that  the 
output  of  each  step  is  a  decryptable  ciphertext  with  bounded  noise.  This  analysis  will  lead  to  concrete 
suggestions  for  how  to  set  the  ladder  of  moduli  and  to  asymptotic  bounds  on  the  performance  of  the  scheme. 

Let  us  begin  by  considering  how  much  noise  FHE.Enc  introduces  initially. 
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4.1  The  Initial  Noise  from  FHE.Enc 


Recall  that  FHE.Enc  simply  invokes  E.Enc  for  suitable  parameters  ( paramsL )  that  depend  on  A  and  L.  In 
turn,  the  noise  of  ciphertexts  output  by  E.Enc  depends  on  the  noise  of  the  initial  “ciphertexts”  (the  encryp¬ 
tions  of  0)  implicit  in  the  matrix  A  output  by  E.PublicKeyGen,  whose  noise  distribution  is  dictated  by  the 
distribution  7. 

Lemma  5.  Let  ul  and  qL  be  the  parameters  associated  to  FHE.Enc.  Let  d  be  the  dimension  of  the  ring 
R,  and  let  77?  be  the  expansion  factor  associated  to  R.  (Both  of  these  quantities  are  1  when  R  =  Z.) 
Let  Bx  be  a  bound  such  that  R-elements  sampled  from  the  the  noise  distribution  x  have  length  at  most 
Bx  with  overwhelming  probability.  The  length  of  the  noise  in  ciphertexts  output  by  FHE.Enc  is  at  most 
1  +  2-7 R-Vd-  ((2 nL  +  1)  log  qL)  •  Bx. 

Proof  Recall  that  s  +-  E.SecretKeyGen  and  A  -t—  E.PublicKeyGen(s,  N)  for  N  =  (2 ul  +  1)  log  37, 
where  A  •  s  =  2e  for  e  -t—  7.  Recall  that  encryption  works  as  follows:  c  -t—  m  +  A1  r  mod  q  where 
r  G  Ilf.  We  have  that  the  noise  of  this  ciphertext  is  [(c,  s)]r/  =  [m  +  2(r,  e)]9,  whose  magnitude  is  at  most 

1  +  2-7 R  •  Ef=i  Ilrb1  II  '  l|e[j]||  <  1  +  2  •  7i?  •  Vd  ■  N  •  Bx.  □ 

Notice  that  we  arc  using  very  loose  (i.e.,  conservative)  upper  bounds  for  the  noise.  These  bounds 
could  be  tightened  up  with  a  more  careful  analysis.  The  correctness  of  decryption  for  ciphertexts  output 
by  FHE.Enc,  assuming  the  noise  bound  above  is  less  than  q/2,  follows  directly  from  the  correctness  of  the 
basic  encryption  and  decryption  algorithms  E.Enc  and  E.Dec. 

4.2  Correctness  and  Performance  of  FHE.Add  and  FHE.Mult  (before  FHE. Refresh) 

Consider  FHE.Mult.  One  begins  FHE.Mult(p/c,  ci,  C2)  with  two  ciphertexts  under  key  s j  for  modulus  qj 
that  have  noises  et  =  [LCi(sj)]qj,  where  LCi(x)  is  simply  the  dot  product  (cj,  x).  To  multiply  together  two 
ciphertexts,  one  multiplies  together  these  two  linear  equations  to  obtain  a  quadratic  equation  QC1  jC2  (x) 

LCl  (x)  •  LC2  (x),  and  then  interprets  this  quadratic  equation  as  a  linear  equation  iffi'/fi  (x  <8>  x)  =  Qc ,  ,C2  (x) 
over  the  tensored  vector  x  ®  x.  The  coefficients  of  this  long  linear  equation  compose  the  new  ciphertext 
vector  C3.  Clearly,  [(03,  s j  <8>  s j)]qj  =  [Llfff 2  (s j  <8>  s j)\q  =  [ei  •  e2]g..  Thus,  if  the  noises  of  ci  and  C2  have 
length  at  most  B,  then  the  noise  of  C3  has  length  at  most  7 r  ■  B2,  where  77?  is  the  expansion  factor  of  It.  If 
this  length  is  less  than  qj / 2,  then  decryption  works  correctly.  In  particular,  if  ml  =  [(cj,  sf]qj]2  =  \c-f2  for 
i  G  {1,2},  then  over  R2  we  have  [(c3,  sj  ®  Sj)]gj.]2  =  [[ei  ■  e2]qj\2  =  [e\  ■  e2]2  =  [ef\2  •  [e2]2  =  mi  •  m2. 
That  is,  correctness  is  preserved  as  long  as  this  noise  does  not  wrap  modulo  q:i . 

The  correctness  of  FHE.Add  and  FHE.Mult  (before  FHE. Refresh)  is  formally  captured  in  the  following 
lemmas. 

Lemma  6.  Let  Ci  and  c2  be  two  ciphertexts  under  key  Sj  for  modulus  qj,  where  ||  [(c*,  Sj)]qj  ||  <  B  and 
mi  =  [[(cj,  Sj)]9j.]2.  Let  s}  =  s j  <8)  s j,  where  the  “non-quadratic  coefficients”  of  si  ( namely ;  the  ‘1’  and 
the  coefficients  ofsj)  are  placed  first.  Let  c'  =  C\  +  c2,  and  pad  c!  with  zeros  to  get  a  vector  C3  such  that 
(c3,s I)  =  (c',s j).  The  noise  [(c3,sf)]gj  has  length  at  most  2 B.  If  2B  <  qj/2,  C3  is  an  encryption  of 
m\  +  m2  under  key  s'  for  modulus  qj  -  i.e.,  rri\  ■  m2  =  [[(03,  sl)]qj]2. 

Lemma  7.  Let  ci  and  c2  be  two  ciphertexts  under  key  Sj  for  modulus  qj,  where  ||  [(cj,  Sj)]qj  ||  <  B  and 
mi  =  [[(ci -.  sj)]q,]'2-  Let  the  linear  equation  Llflf,2  (x  ®  x)  be  as  defined  above,  let  C3  be  the  coefficient 
vector  of  this  linear  equation,  and  let  s'-  =  s j  <8>  s j.  The  noise  [(03,  s'-)]^  has  length  at  most  777  •  B2.  If 
777  •  B2  <  qj/ 2,  C3  is  an  encryption  ofm\  ■  m2  under  key  s' ■  for  modulus  qj  -  i.e.,  m\  ■  m2  =  [[(C3,  s'  )]^.]2. 


13 


Approved  for  Public  Release;  Distribution  Unlimited. 
78 


The  computation  needed  to  compute  the  tensored  ciphertext  C3  is  ()(dri  j  log  qj).  For  the  RLWE  instan¬ 
tiation,  since  n:j  =  1  and  since  (as  we  will  see)  log  qj  depends  logarithmically  on  the  security  parameter  and 
linearly  on  L,  the  computation  here  is  only  quasi-linear  in  the  security  parameter.  For  the  LWE  instantiation, 
the  computation  is  quasi-quadratic. 

4.3  Correctness  and  Performance  of  FH E. Refresh 

FHE. Refresh  consists  of  three  steps:  Expand,  Switch  Moduli,  and  Switch  Keys.  We  address  each  of  these 
steps  in  turn. 

Correctness  and  Performance  of  the  Expand  Step.  The  Expand  step  of  FHE. Refresh  takes  as  input  a  long 
ciphertext  c  under  the  long  tensored  key  s'  =  s j  (g>  s j  for  modulus  qr  It  simply  applies  the  Powersof2 
transformation  to  c  to  obtain  ci.  By  Lemma  2,  we  know  that 

(Powersof2(c,  qj),  BitDecomp(s),  qj))  =  (c,  s'  )  mod  qj 

i.e.,  we  know  that  if  s'  decrypts  c  correctly,  then  s"  decrypts  c\  coiTectly.  The  noise  has  not  been  affected 
at  all. 

If  implemented  naively,  the  computation  in  the  Expand  step  is  0(dnj  log2  qj).  The  somewhat  high 
computation  is  due  to  the  fact  that  the  expanded  ciphertext  is  a  ( (r'J2  1  )  •  [log qr,-]) -dimensional  vector  over 
Rq. 

However,  recall  that  s j  is  drawn  using  the  distribution  x  ~  he.,  it  has  small  coefficients  of  size  basically 
independent  of  qj.  Consequently,  s '■  also  has  small  coefficients,  and  we  can  use  this  a  priori  knowledge 
in  combination  with  an  optimized  version  of  BitDecomp  to  output  a  shorter  bit  decomposition  of  s'-  -  in 
particular,  a  ( ("J2  ')  •  [ log  g' ]  )-dimensional  vector  over  Rq  where  g'  <C  qj  is  a  bound  (with  overwhelming 
probability)  on  the  coefficients  of  elements  output  by  x-  Similarly,  we  can  use  an  abbreviated  version  of 
Powersof2(c,  qj).  In  this  case,  the  computation  is  0(drij  log gj). 

Correctness  and  Performance  of  the  Switch-Moduli  Step.  The  Switch  Moduli  step  takes  as  input  a  cipher- 
text  ci  under  the  secret  bit-vector  s"  for  the  modulus  g;,  and  outputs  the  ciphertext  c-2  Scale(ci,  qj,  qj-i,  2), 
which  we  claim  to  be  a  ciphertext  under  key  s"  for  modulus  g;  _  1 .  Note  that  s"  is  a  short  secret  key,  since  it 
is  a  bit  vector  in  it/  for  tj  <  (rij't  ')  •  [ log  g?] .  By  Corollary  1 ,  and  using  the  fact  that  t\  (s'- )  <  s/d  ■  tj,  the 
following  is  true:  if  the  noise  of  ci  has  length  at  most  B  <  qj/ 2  —  ((p/qj- 1 )  -  d  ■  xn  •  tj,  then  correctness 
is  preserved  and  the  noise  of  c-2  is  bounded  by  {qj-  1  /q/)  •  B  +  d  ■  77, >  ■  t  j.  Of  course,  the  key  feature  of  this 
step  for  our  purposes  is  that  switching  moduli  may  reduce  the  length  of  the  moduli  when  g;_i  <  g; . 

We  capture  the  correctness  of  the  Switch-Moduli  step  in  the  following  lemma. 

Lemma  8.  Let  Ci  he  a  ciphertext  under  the  key  s''  =  BitDecomp(s;  ®  s j,  qj)  such  that  e;)  4—  [(ci 
has  length  at  most  B  and  m  =  [ej\ 2.  Let  C2  <—  Scale(ci,  qj,  qj- 1,  2),  and  let  e2_  1  =  [(02,  s'')]9j_i.  Then, 

ej- 1  {the  new  noise)  has  length  at  most  (. qj-i/qj )  •  B  +  d  ■  ■  (n-'21"1)  '  [log  Qj~\>  and  (assuming  this  noise 

length  is  less  than  qj_\/2)  we  have  m  =  [ej- 1)2. 

The  computation  in  the  Switch-Moduli  step  is  0(dnj  log  qj),  using  the  optimized  versions  of  BitDecomp 
and  Powersof2  mentioned  above. 

Correctness  and  Performance  of  the  Switch-Key  Step.  Finally,  in  the  Switch  Keys  step,  we  take  as  input  a 
ciphertext  C2  under  key  s'-  for  modulus  g;_i  and  set  C3  c-  Switch  Key  (rs//^.s  _  ,  C2,  qj-i),  a  ciphertext  un- 
der  the  key  sy  _  1  for  modulus  qj-\.  In  Lemma  3,  we  proved  the  correctness  of  key  switching  and  established 
that  the  noise  grows  only  by  the  additive  factor  2  (BitDecomp(c2,  qj-i),  e),  where  BitDecomp(c2,  qj-i)  is 
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a  (short)  bit-vector  and  e  is  a  (short  and  fresh)  noise  vector.  In  particular',  if  the  noise  originally  had  length 
B,  then  after  the  Switch  Keys  step  is  has  length  at  most  B  +  2  •  7#  •  Yli=i  ||BitDecomp(c2,  qj-i)[i]  ||  •  Bx  < 
B  +  2  •  7^  •  Uj  ■  s/d  ■  Bx,  where  uj  <  (nj2l~1)  •  flog  •  [loggj_i]  is  the  dimension  of  BitDecomp(c2). 

We  capture  the  correctness  of  the  Switch-Key  step  in  the  following  lemma. 

Lemma  9.  Let  C2  be  a  ciphertext  under  the  key  s"  =  BitDecomp(sj  0  sy .  qj)  for  modulus  qj-i  such  that 
e\  •(—  [(c2,  Sj)]qj_1  has  length  at  most  B  and  m  =  [ei]2-  Let  C3  •(—  Switch  Key  (rs//^.Sj_1,  C2,  qj-i),  and  let 

C2  =  [(C3,  Sj-i)]qj_1.  Then ,  e2  {the  new  noise)  has  length  at  most  B  +  2  •  7#  •  (nj21"1)  '  [log qf\2  ■  sfd  ■  Bx 
and  ( assuming  this  noise  length  is  less  than  qj_\/2)  we  have  m  =  [e2\2- 

In  terms  of  computation,  the  Switch-Key  step  involves  multiplying  the  transpose  of  uj -dimensional 
vector  BitDecomp(c2)  with  a  Uj  x  (rij-i  +  1)  matrix  B.  Assuming  n3  >  nj- \  and  q3  >  qj-i,  and  using 
the  optimized  versions  of  BitDecomp  and  Powersof2  mentioned  above  to  reduce  Uj,  this  computation  is 
0(dn j  log2  q.j).  Still  this  is  quasi-linear  in  the  RLWE  instantiation. 

4.4  Putting  the  Pieces  Together:  Parameters,  Correctness,  Performance 

So  far  we  have  established  that  the  scheme  is  correct,  assuming  that  the  noise  does  not  wrap  modulo  qj  or 
(jj-i.  Now  we  need  to  show  that  we  can  set  the  parameters  of  the  scheme  to  ensure  that  such  wrapping  never 
occurs. 

Our  strategy  for  setting  the  parameters  is  to  pick  a  “universal”  bound  B  on  the  noise  length,  and  then 
prove,  for  all  j,  that  a  valid  ciphertext  under  key  Sj  for  modulus  q3  has  noise  length  at  most  B.  This  bound  B 
is  quite  small:  polynomial  in  A  and  log  qL,  where  q^  is  the  largest  modulus  in  our  ladder.  It  is  clear  that  such 
abound  B  holds  for  fresh  ciphertexts  output  by  FHE.Enc.  (Recall  the  discussion  from  Section  3.1  where  we 
explained  that  we  use  a  noise  distribution  x  that  is  essentially  independent  of  the  modulus.)  The  remainder 
of  the  proof  is  by  induction  -  i.e.,  we  will  show  that  if  the  bound  holds  for  two  ciphertexts  ci,  C2  at  level 
j,  our  lemmas  above  imply  that  the  bound  also  holds  for  the  ciphertext  c'  FHE.Multfp/::,  ci,  C2)  at  level 
j  —  1.  (FFIE.Mult  increases  the  noise  strictly  more  in  the  worst-case  than  FFIE.Add  for  any  reasonable 
choice  of  parameters.) 

Specifically,  after  the  first  step  of  FFIE.Mult  (without  the  Refresh  step),  the  noise  has  length  at  most 
7 n  •  B2.  Then,  we  apply  the  Scale  function,  after  which  the  noise  length  is  at  most  (q:j-\  /qf)  •  7_r  •  B2  + 
//Scale, y  where  //Scale, j some  additive  term.  Finally,  we  apply  the  SwitchKey  function,  which  introduces 
another  additive  term  //Switch Keyj-  Overall,  after  the  entire  FHE.Mult  step,  the  noise  length  is  at  most 
(qj-i/qj)  ■  77  -  B2  —  //Scale,;  +  //Switch Key ,j ■  We  want  to  choose  our  parameters  so  that  this  bound  is  at  most 
B.  Suppose  we  set  our  ladder  of  moduli  and  the  bound  B  such  that  the  following  two  properties  hold: 


•  Property  1:  B  >  2  •  (r/scalej  +  //Switch  Key  j)  for  all  j. 


•  Property  2:  qj/qj- 1  >  2  ■  B  ■  77;  for  all  j. 
Then  we  have 


(Qj— l/ Qj)  '  TR  '  “F  //Scale, j  “F  //SwitchKey, j  ^  „  D  '  7 R  '  “F  '  B  0  B 

2 • B  ■  7r  2 

It  only  remains  to  set  our  ladder  of  moduli  and  B  so  that  Properties  1  and  2  hold. 

Unfortunately,  there  is  some  circularity  in  Properties  1  and  2:  qr  depends  on  B,  which  depends  on  qi, 
albeit  only  polylogarithmically.  However,  it  is  easy  to  see  that  this  circularity  is  not  fatal.  As  a  non-optimized 
example  to  illustrate  this,  set  B  =  \a  ■  Lb  for  very  large  constants  a  and  h,  and  set  q3  ~  2(/+1Fa-’(,i°g^+i°g 
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If  a  and  b  arc  large  enough,  B  dominates  //scaie.f,  +  //Switch  Key.  which  is  polynomial  in  A  and  log  qL,  and 
hence  polynomial  in  A  and  L  (Property  1  is  satisfied).  Since  q-j/q-j- 1  is  super-polynomial  in  both  A  and  L,  it 
dominates  2  ■  B  ■  qp>  (Property  2  is  satisfied).  In  fact,  it  works  fine  to  set  q3  as  a  modulus  having  (j  +  1)  •  // 
bits  for  some  //  =  0(log  A  +  log  L)  with  small  hidden  constant. 

Overall,  we  have  that  qi,  the  largest  modulus  used  in  the  system,  is  6{L  •  (log  A  +  log  L ))  bits,  and  d  ■  til 
must  be  approximately  that  number  times  A  for  2X  security. 

Theorem  3.  For  some  p  =  0 ( log  A  +  log  L),  FHE  is  a  correct  L-leveled  FHE  scheme  -  specifically,  it 
correctly  evaluates  circuits  of  depth  L  with  Add  and  Mult  gates  over  IB.  The  per-gate  computation  is 
0(d  ■  n3L  •  log 2  qj)  =  0(d  ■  n\  ■  L2).  For  the  LWE  case  (where  d  =  1),  the  per-gate  computation  is 
0( A3  •  L5).  For  the  RLWE  case  (where  n  =  1),  the  per-gate  computation  is  ()(X  ■  L3). 

The  bottom  line  is  that  we  have  a  RLWE-based  leveled  FHE  scheme  with  per-gate  computation  that  is 
only  quasi-linear  in  the  security  parameter,  albeit  with  somewhat  high  dependence  on  the  number  of  levels 
in  the  circuit. 

Let  us  pause  at  this  point  to  reconsider  the  performance  of  previous  FHE  schemes  in  comparison  to  our 
new  scheme.  Specifically,  as  we  discussed  in  the  Introduction,  in  previous  SWHE  schemes,  the  ciphertext 
size  is  at  least  ()(X  ■  d2),  where  d  is  the  degree  of  the  circuit  being  evaluated.  One  may  view  our  new  scheme 
as  a  very  powerful  SWHE  scheme  in  which  this  dependence  on  degree  has  been  replaced  with  a  similar 
dependence  on  depth.  (Recall  the  degree  of  a  circuit  may  be  exponential  in  its  depth.)  Since  polynomial- 
size  circuits  have  polynomial  depth,  which  is  certainly  not  true  of  degree,  our  scheme  can  efficiently  evaluate 
arbitrary  circuits  without  resorting  to  bootstrapping. 

4.5  Security 

The  security  of  FHE  follows  by  a  standard  hybrid  argument  from  the  security  of  E,  the  basic  scheme  de¬ 
scribed  in  Section  3.1.  We  omit  the  details. 

5  Optimizations 

Despite  the  fact  that  our  new  FHE  scheme  has  per-gate  computation  only  quasi-linear  in  the  security  param¬ 
eter,  we  present  several  significant  ways  of  optimizing  it.  We  focus  primarily  on  the  RLWE-based  scheme, 
since  it  is  much  more  efficient. 

Our  first  optimization  is  batching.  Batching  allows  us  to  reduce  the  per-gate  computation  from  quasi- 
linear  in  the  security  parameter  to  poly  logarithmic.  In  more  detail,  we  show  that  evaluating  a  function  / 
homomorphically  on  (  =  H(A)  blocks  of  encrypted  data  requires  only  polylogarithmically  (in  terms  of  the 
security  parameter  A)  more  computation  than  evaluating  /  on  the  unencrypted  data.  (The  overhead  is  still 
polynomial  in  the  depth  L  of  the  circuit  computing  /.)  Batching  works  essentially  by  packing  multiple 
plaintexts  into  each  ciphertext. 

Next,  we  reintroduce  bootstrapping  as  an  optimization  rather  than  a  necessity  (Section  5.2).  Bootstrap¬ 
ping  allows  us  to  achieve  per-gate  computation  quasi-quadratic  in  the  security  parameter,  independent  of 
the  number  levels  in  the  circuit  being  evaluated. 

In  Section  5.3,  we  show  that  batching  the  bootstrapping  function  is  a  powerful  combination.  With  this 
optimization,  circuits  whose  levels  mostly  have  width  at  least  A  can  be  evaluated  homomorphically  with 
only  O(A)  per-gate  computation,  independent  of  the  number  of  levels. 

Finally,  Section  5.5  presents  a  few  other  miscellaneous  optimizations. 

5.1  Batching 

Suppose  we  want  to  evaluate  the  same  function  /  on  i  blocks  of  encrypted  data.  (Or,  similarly,  suppose  we 
want  to  evaluate  the  same  encrypted  function  /  on  i  blocks  of  plaintext  data.)  Can  we  do  this  using  less  than 
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t  times  the  computation  needed  to  evaluate  /  on  one  block  of  data?  Can  we  batch? 

For  example,  consider  a  keyword  search  function  that  returns  ‘1’  if  the  keyword  is  present  in  the  data 
and  ‘0’  if  it  is  not.  The  keyword  search  function  is  mostly  composed  of  a  large  number  of  equality  tests  that 
compare  the  target  word  w  to  all  of  the  different  subsequences  of  data;  this  is  followed  up  by  an  OR  of  the 
equality  test  results.  All  of  these  equality  tests  involve  running  the  same  m-dependent  function  on  different 
blocks  of  data.  If  we  could  batch  these  equality  tests,  it  could  significantly  reduce  the  computation  needed 
to  perform  keyword  search  homomorphically. 

If  we  use  bootstrapping  as  an  optimization  (see  Section  5.2),  then  obviously  we  will  be  running  the 
decryption  function  homomorphically  on  multiple  blocks  of  data  -  namely,  the  multiple  ciphertexts  that 
need  to  be  refreshed.  Can  we  batch  the  bootstrapping  function?  If  we  could,  then  we  might  be  able  to 
drastically  reduce  the  average  per-gate  cost  of  bootstrapping. 

Smart  and  Vercauteren  [21]  were  the  first  to  rigorously  analyze  batching  in  the  context  of  FHE.  In 
particular,  they  observed  that  ideal-lattice-based  (and  RLWE-based)  ciphertexts  can  have  many  plaintext 
slots,  associated  to  the  factorization  of  the  plaintext  space  into  algebraic  ideals. 

When  we  apply  batching  to  our  new  RLWE-based  FHE  scheme,  the  results  are  pretty  amazing.  Evaluat¬ 
ing  /  homomorphically  on  l  =  <2(A)  blocks  of  encrypted  data  requires  only  polylogarithmically  (in  terms 
of  the  security  parameter  A)  more  computation  than  evaluating  /  on  the  unencrypted  data.  (The  overhead  is 
still  polynomial  in  the  depth  L  of  the  circuit  computing  /.)  As  we  will  see  later,  for  circuits  whose  levels 
mostly  have  width  at  least  A,  batching  the  bootstrapping  function  (i.e.,  batching  homomorphic  evaluation 
of  the  decryption  function)  allows  us  to  reduce  the  per-gate  computation  of  our  bootstrapped  scheme  from 
0(A2)  to  0(A)  (independent  of  L). 

To  make  the  exposition  a  bit  simpler,  in  our  RLWE-based  instantiation  where  R  =  7L\x\/{xd  +  1),  we 
will  not  use  R2  as  our  plaintext  space,  but  instead  use  a  plaintext  space  Rp  that  is  isomorphic  to  the  direct 
product  RVl  x  •  •  •  x  RVd  of  many  plaintext  spaces  (think  Chinese  remaindering),  so  that  evaluating  a  function 
once  over  Rp  implicitly  evaluates  the  function  many  times  in  parallel  over  the  respective  smaller  plaintext 
spaces.  The  pj’s  will  be  ideals  in  our  ring  R  =  Z[x\/(xd  +  1).  (One  could  still  use  Rz  as  in  [21],  but  the 
number  theory  there  is  a  bit  more  involved.) 

5.1.1  Some  Number  Theory 

Let  us  take  a  very  brief  tour  of  algebraic  number  theory.  Suppose  p  is  a  prime  number  satisfying  p  = 
1  mod  2d,  and  let  a  be  a  primitive  2d-th  root  of  unity  modulo  p.  Then,  xd  +  1  factors  completely  into  linear 
polynomials  modulo  p  -  in  particular,  xd  +  1  =  \\ll=l{x  —  a* )  mod  p  where  a*  =  a2*-1  mod  p.  In  some 
sense,  the  converse  of  the  above  statement  is  also  true,  and  this  is  the  essence  of  reciprocity  -  namely,  in  the 
ring  R  =  Z  [x\  /  (xd  +  1)  the  prime  integer  p  is  not  actually  prime,  but  rather  it  splits  completely  into  prime 
ideals  in  R  -  i.e.,  p  =  n (;= 1  Pi-  The  ideal  p?;  equals  (p,  x  —  a,)  -  namely,  the  set  of  all  /(-elements  that  can  be 
expressed  as  r\  ■  p  +  rz  ■  {x  —  af)  for  some  n,  rz  6  R.  Each  ideal  p,  has  norm  p  -  that  is,  roughly  speaking, 
a  1/p  fraction  of  /(-elements  arc  in  p,,  or,  more  formally,  the  p  cosets  0  +  p t —  1)  +  p,  partition  R. 
These  ideals  arc  relative  prime,  and  so  they  behave  like  relative  prime  integers.  In  particular,  the  Chinese 
Remainder  Theorem  applies:  Rp  =  RVl  x  •  •  •  x  Rpd- 

Although  the  prime  ideals  {p,,}  arc  relatively  prime,  they  arc  close  siblings,  and  it  is  easy,  in  some 
sense,  to  switch  from  one  to  another.  One  fact  that  we  will  use  (when  we  finally  apply  batching  to  boot¬ 
strapping)  is  that,  for  any  i,  j  there  is  an  automorphism  a^j  over  R  that  maps  elements  of  p,  to  elements 
of  p j.  Specifically,  (Jj^j  works  by  mapping  an  /(-element  r  =  r(x)  =  r,/_  1  xd  1  +  •  •  •  +  r\x  +  ro  to 
r(xeo)  =  7"d_ iajeo(d_1)  mod  2d  +  •  •  •  +  rq xe‘:i  +  ro  where  e^-  is  some  odd  number  in  [1,  2d].  Notice  that 
this  automorphism  just  permutes  the  coefficients  of  r  and  fixes  the  free  coefficient.  Notationally,  we  will  use 
W->j(v)  to  refer  to  the  vector  that  results  from  applying  cr^j  coefficient-wise  to  v. 
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5.1.2  How  Batching  Works 

Deploying  batching  inside  our  scheme  FHE  is  quite  straightforward.  First,  we  pick  a  prime  p  =  1  mod  2d 
of  size  polynomial  in  the  security  parameter.  (One  should  exist  under  the  GRH.) 

The  next  step  is  simply  to  recognize  that  our  scheme  FHE  works  just  tine  when  we  replace  the  original 
plaintext  space  R2  with  Rp.  There  is  nothing  especially  magical  about  the  number  2.  In  the  basic  scheme  E 
described  in  Section  3.1,  E.PublicKeyGen(pa?’ams,  sk)  is  modified  in  the  obvious  way  so  that  A  •  s  =  p  ■  e 
rather  than  2  •  e.  (This  modification  induces  a  similar  modification  in  Switch KeyGen.)  Decryption  becomes 
m  =  [[(c,  s)]9]p.  Homomorphic  operations  use  mod-p  gates  rather  than  boolean  gates,  and  it  is  easy  (if 
desired)  to  emulate  boolean  gates  with  mod-p  gates  -  e.g.,  we  can  compute  XOR(a,  b )  for  a,  b  G  {0,  l}2 
using  mod-p  gates  for  any  p  as  a  +  b  —  2 ab.  For  modulus  switching,  we  use  Scale(ci,  q:j ,  q:i  _  \.p)  rather 
than  Scale(ci,  q:] ,  qj-i,  2).  The  larger  rounding  error  from  this  new  scaling  procedure  increases  the  noise 
slightly,  but  this  additive  noise  is  still  polynomial  in  the  security  parameter  and  the  number  of  levels,  and 
thus  is  still  consistent  with  our  setting  of  parameters.  In  short,  FHE  can  easily  be  adapted  to  work  with  a 
plaintext  space  Rp  for  p  of  polynomial  size. 

The  final  step  is  simply  to  recognize  that,  by  the  Chinese  Remainder  Theorem,  evaluating  an  arithmetic 
circuit  over  Rp  on  input  x  e  Rf  implicitly  evaluates,  for  each  i,  the  same  arithmetic  circuit  over  RPi  on 
input  x  projected  down  to  Rfi..  The  evaluations  modulo  the  various  prime  ideals  do  not  “mix”  or  interact 
with  each  other. 

Theorem  4.  Let  p  =  1  mod  2d  be  a  prime  of  size  polynomial  in  A.  The  RVSNE-based  instantiation  of  FHE 
using  the  ring  R  =  Z[,x]/(.Td  + 1)  can  be  adapted  to  use  the  plaintext  space  Rp  =  ®f=1Rpi  while  preserving 
correctness  and  the  same  asymptotic  performance.  For  any  boolean  circuit  f  of  depth  L,  the  scheme  can 
homomorphic  ally  evaluate  f  on  £  sets  of  inputs  with  per-gate  computation  0{  A  •  L3/ min{d,  £}). 

When  £  >  A,  the  per-gate  computation  is  only  polylogarithmic  in  the  security  parameter  (still  cubic  in  L). 

5.2  Bootstrapping  as  an  Optimization 

Bootstrapping  is  no  longer  strictly  necessary  to  achieve  leveled  FHE.  However,  in  some  settings,  it  may  have 
some  advantages: 

•  Performance:  The  per-gate  computation  is  independent  of  the  depth  of  the  circuit  being  evaluated. 

•  Flexibility:  Assuming  circular  security,  a  bootstrapped  scheme  can  perform  homomorphic  evaluations 
indefinitely  without  needing  to  specify  in  advance,  during  Setup,  a  bound  on  the  number  of  circuit 
levels. 

•  Memory:  Bootstrapping  permits  short  ciphertexts  -  e.g.,  encrypted  using  AES  -  to  be  de-compressed 
to  longer  ciphertexts  that  permit  homomorphic  operations.  Bootstrapping  allows  us  to  save  memory 
by  storing  data  encrypted  in  the  compressed  form  -  e.g.,  under  AES. 

Here,  we  revisit  bootstrapping,  viewing  it  as  an  optimization  rather  than  a  necessity.  We  also  reconsider 
the  scheme  FHE  that  we  described  in  Section  3,  viewing  the  scheme  not  as  an  end  in  itself,  but  rather  as  a  very 
powerful  SWHE  whose  performance  degrades  polynomially  in  the  depth  of  the  circuit  being  evaluated,  as 
opposed  to  previous  SWHE  schemes  whose  performance  degrades  polynomially  in  the  degree.  In  particular, 
we  analyze  how  efficiently  it  can  evaluate  its  decryption  function,  as  needed  to  bootstrap.  Not  surprisingly, 
our  faster  SWHE  scheme  can  also  bootstrap  faster.  The  decryption  function  has  only  logarithmic  depth 
and  can  be  evaluated  homomorphic  ally  in  time  quasi-quadratic  in  the  security  parameter  (for  the  RLWE 
instantiation),  giving  a  bootstrapped  scheme  with  quasi-quadratic  per-gate  computation  overall. 
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5.2.1  Decryption  as  a  Circuit  of  Quasi-Linear  Size  and  Logarithmic  Depth 

Recall  that  the  decryption  function  is  m  =  [[(c,  s ) ] ^ ] 2 •  Suppose  that  we  are  given  the  “bits”  (elements  in  R>) 
of  s  as  input,  and  we  want  to  compute  [[(c,  s)]q]2  using  an  arithmetic  circuit  that  has  Add  and  Mult  gates 
over  i?2-  (When  we  bootstrap,  of  course  we  are  given  the  bits  of  s  in  encrypted  form.)  Note  that  we  will 
run  the  decryption  function  homomorphically  on  level-0  ciphertexts  -  i.e.,  when  q  is  small,  only  polynomial 
in  the  security  parameter.  What  is  the  complexity  of  this  circuit?  Most  importantly  for  our  purposes,  what 
is  its  depth  and  size?  The  answer  is  that  we  can  perform  decryption  with  0(A)  computation  and  0(log  A) 
depth.  Thus,  in  the  RLWE  instantiation,  we  can  evaluate  the  decryption  function  homomorphically  using  our 
new  scheme  with  quasi-quadratic  computation.  (For  the  LWE  instantiation,  the  bootstrapping  computation 
is  quasi-quartic.) 

First,  let  us  consider  the  LWE  case,  where  c  and  s  are  n- dimensional  integer  vectors.  Obviously,  each 
product  c[i]  •  s[z]  can  be  written  as  the  sum  of  at  most  log  q  “shifts”  of  s[i].  These  horizontal  shifts  of 
s [z]  use  at  most  2  log  q  columns.  Thus,  (c,  s)  can  be  written  as  the  sum  of  n  ■  log  q  numbers,  where  each 
number  has  2  log  q  digits.  As  discussed  in  [8],  we  can  use  the  three-for-two  trick,  which  takes  as  input 
three  numbers  in  binary  (of  arbitrary  length)  and  outputs  (using  constant  depth)  two  binary  numbers  with 
the  same  sum.  Thus,  with  0(log(ro  •  log  <7))  =  0(logn  +  loglogr/)  depth  and  0(n  log2  q)  computation, 
we  obtain  two  numbers  with  the  desired  sum,  each  having  0(logn  +  log  q)  bits.  We  can  sum  the  final 
two  numbers  with  O  (log  log  n  +  log  log  q)  depth  and  0(logn  +  log  q)  computation.  So  far,  we  have  used 
depth  Of  log  n  +  log  log  q)  and  0(n  log2  q)  computation  to  compute  (c,  s).  Reducing  this  value  modulo  q 
is  an  operation  akin  to  division,  for  which  there  are  circuits  of  size  polylog(g)  and  depth  log  log  q.  Finally, 
reducing  modulo  2  just  involves  dropping  the  most  significant  bits.  Overall,  since  we  are  interested  only  in 
the  case  where  log  q  =  0(log  A),  we  have  that  decryption  requires  0(A)  computation  and  depth  0(log  A). 

For  the  RLWE  case,  we  can  use  the  R-2  plaintext  space  to  emulate  the  simpler  plaintext  space  Z2.  Using 
Z2,  the  analysis  is  basically  the  same  as  above,  except  that  we  mention  that  the  DFT  is  used  to  multiply 
elements  in  R. 

In  practice,  it  would  be  useful  to  tighten  up  this  analysis  by  reducing  the  polylogarithmic  factors  in 
the  computation  and  the  constants  in  the  depth.  Most  likely  this  could  be  done  by  evaluating  decryption 
using  symmetric  polynomials  [8,  9]  or  with  a  variant  of  the  “grade-school  addition”  approach  used  in  the 
Gentry-Halevi  implementation  [10]. 

5.2.2  Bootstrapping  Lazily 

Bootstrapping  is  rather  expensive  computationally.  In  particular-,  the  cost  of  bootstrapping  a  ciphertext  is 
greater  than  the  cost  of  a  homomorphic  operation  by  approximately  a  factor  of  A.  This  suggests  the  question: 
can  we  lower  per-gate  computation  of  a  bootstrapped  scheme  by  bootstrapping  lazily  -  i.e.,  applying  the 
refresh  procedure  only  at  a  1/L  fraction  of  the  circuit  levels  for  some  well-chosen  L  [11]?  Here  we  show 
that  the  answer  is  yes.  By  bootstrapping  lazily  for  L  =  @(1  og  A),  we  can  lower  the  per-gate  computation  by 
a  logarithmic  factor. 

Let  us  present  this  result  somewhat  abstractly.  Suppose  that  the  per-gate  computation  for  a  L-level  no¬ 
bootstrapping  FHE  scheme  is  f(X,L)  =  \ai  ■  If’2 .  (We  ignore  logarithmic  factors  in  /,  since  they  will 
not  affect  the  analysis,  but  one  can  imagine  that  they  add  a  very  small  e  to  the  exponent.)  Suppose  that 
bootstrapping  a  ciphertext  requires  a  c-depth  circuit.  Since  we  want  to  be  capable  of  evaluation  depth  L 
after  evaluating  the  c  levels  need  to  bootstrap  a  ciphertext,  the  bootstrapping  procedure  needs  to  begin  with 
ciphertexts  that  can  be  used  in  a  (c  +  L)-depth  circuit.  Consequently,  let  us  say  that  the  computation  needed 
a  bootstrap  a  ciphertext  is  g(X,c  +  L)  where  g(X,x)  =  Xbl  ■  xl>2 .  The  overall  per-gate  computation  is 
approximately  /(A,  L)  +  g{ A,  c  +  L)/L,  a  quantity  that  we  seek  to  minimize. 
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We  have  the  following  lemma. 

Lemma  10.  Let  f(X,L )  =  Aai  •  La2  and  g(X,L )  =  Xbl  ■  Lb2  for  constants  b\  >  ai  and  b2  >  a2  >  1. 
Let  h(  A,  L)  =  /(A,  L)  +  g(  A,  c  +  L)/ L  for  c  =  #(log  A).  77?c«,  for  fixed  X,  h(  A,  L)  /wi  a  minimum  for 
L  £  [(c  —  1)/ (62  —  1),  c/ (62  —  1)]  -  i.e.,  at  some  L  =  $(log  A). 

Proof  Clearly  /i(A,  L)  =  +00  at  L  =  0,  then  it  decreases  toward  a  minimum,  and  finally  it  eventually 
increases  again  as  L  goes  toward  infinity.  Thus,  h{ A,  L)  has  a  minimum  at  some  positive  value  of  L.  Since 
f(X,L)  is  monotonically  increasing  (i.e.,  the  derivative  is  positive),  the  minimum  must  occur  where  the 
derivative  ofg(A,c  +  L)/Lis  negative.  We  have 

— p(A,  c  +  L)/ L  =  g'( A,  c  +  L)/ L  —  g( A,  c  +  L)/L2 

=  b2  ■  Xbl  •  (c  +  L)&2-1/L  -  Afel  •  (c  +  L)b2 / L2 
=  (Xbl  •  (c  +  L)b2~l/L2)  ■  (b2  ■  L  —  c  —  L)  , 

which  becomes  positive  when  L  >  c/(b2  —  1)  -  i.e.,  the  derivative  is  negative  only  when  L  =  Of  log  A).  For 
L  <  (c—  1)/ (62  —  1).  we  have  that  the  above  derivative  is  less  than  —  Abl  •  {c+ L)b2~l  /  Li2 ,  which  dominates 
the  positive  derivative  of  /.  Therefore,  for  large  enough  value  of  A,  the  value  h(X.  L)  has  its  minimum  at 
some  L  e[(c-  l)/(&2  -  1  ),c/(b2  -  1)].  □ 

This  lemma  basically  says  that,  since  homomorphic  decryption  takes  0(log  A)  levels  and  its  cost  is  super- 
linear  and  dominates  that  of  normal  homomorphic  operations  (FHE.Add  and  FHE.Mult),  it  makes  sense  to 
bootstrap  lazily  -  in  particular,  once  every  (log  A)  levels.  (If  one  bootstrapped  even  more  lazily  than  this, 
the  super-linear  cost  of  bootstrapping  begins  to  ensure  that  the  (amortized)  per-gate  cost  of  bootstrapping 
alone  is  increasing.)  It  is  easy  to  see  that,  since  the  per-gate  computation  is  dominated  by  bootstrapping, 
bootstrapping  lazily  every  C ( log  A)  levels  reduces  the  per-gate  computation  by  a  factor  of  6 (log  A). 

5.3  Batching  the  Bootstrapping  Operation 

Suppose  that  we  are  evaluating  a  circuit  homomorphically,  that  we  are  currently  at  a  level  in  the  circuit  that 
has  at  least  d  gates  (where  d  is  the  dimension  of  our  ring),  and  that  we  want  to  bootstrap  (refresh)  all  of 
the  ciphertexts  corresponding  to  the  respective  wires  at  that  level.  That  is,  we  want  to  homomorphically 
evaluate  the  decryption  function  at  least  d  times  in  parallel.  This  seems  like  an  ideal  place  to  apply  batching. 

However,  there  are  some  nontrivial  problems.  In  Section  5.1,  our  focus  was  rather  limited.  For  example, 
we  did  not  consider  whether  homomorphic  operations  could  continue  after  the  batched  computation.  Indeed, 
at  first  glance,  it  would  appeal-  that  homomorphic  operations  cannot  continue,  since,  after  batching,  the 
encrypted  data  is  partitioned  into  non-interacting  relatively-prime  plaintext  slots,  whereas  the  whole  point  of 
homomorphic  encryption  is  that  the  encrypted  data  can  interact  (within  a  common  plaintext  slot).  Similarly, 
we  did  not  consider  homomorphic  operations  before  the  batched  computation.  Somehow,  we  need  the  input 
to  the  batched  computation  to  come  pre -partitioned  into  the  different  plaintext  slots. 

What  we  need  are  Pack  and  Unpack  functions  that  allow  the  batching  procedure  to  interface  with  “nor¬ 
mal”  homomorphic  operations.  One  may  think  of  the  Pack  and  Unpack  functions  as  an  on-ramp  to  and  an 
exit-ramp  from  the  “fast  lane”  of  batching.  Let  us  say  that  normal  homomorphic  operations  will  always  use 
the  plaintext  slot  RVl.  Roughly,  the  Pack  function  should  take  a  bunch  of  ciphertexts  c  1 , . . . ,  c,/  that  encrypt 
messages  m\ , . . . ,  rnrj  <G  Zp  under  key  si  for  modulus  q  and  plaintext  slot  Rp  ,  and  then  aggregate  them  into 
a  single  ciphertext  c  under  some  possibly  different  key  S2  for  modulus  q  and  plaintext  slot  Rp  =  <8>f=1i?Pi  , 
so  that  correctness  holds  with  respect  to  all  of  the  different  plaintext  slots  -  i.e.  m;  =  [[(c,  S2)]?]Pi  for 
all  i.  The  Pack  function  thus  allows  normal  homomorphic  operations  to  feed  into  the  batch  operation. 
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The  Unpack  function  should  accept  the  output  of  a  batched  computation,  namely  a  ciphertext  c'  such  that 
m,  =  [[(c',  s,1)]g]Pi  for  all  i,  and  then  de-aggregate  this  ciphertext  by  outputting  ciphertexts  c', , . . . ,  c'd  under 
some  possibly  different  common  secret  key  s'2  such  that  in,  =  [[{c-,  s2)]f/]Pl  for  all  i.  Now  that  all  of  the 
ciphertexts  are  under  a  common  key  and  plaintext  slot,  normal  homomorphic  operations  can  resume.  With 
such  Pack  and  Unpack  functions,  we  could  indeed  batch  the  bootstrapping  operation.  For  circuits  of  large 
width  (say,  at  least  d)  we  could  reduce  the  per-gate  bootstrapping  computation  by  a  factor  of  d,  making  it 
only  q uas i-li near  in  A.  Assuming  the  Pack  and  Unpack  functions  have  complexity  at  most  quasi-quadratic 
in  d  (per-gate  this  is  only  quasi-linear,  since  Pack  and  Unpack  operate  on  d  gates),  the  overall  per-gate 
computation  of  a  batched-bootstrapped  scheme  becomes  only  quasi-linear. 

Here,  we  describe  suitable  Pack  and  Unpack  functions.  These  functions  will  make  heavy  use  of  the 
automorphisms  a^j  over  R  that  map  elements  of  p,  to  elements  of  pj.  (See  Section  5.1.1.)  We  note  that 
Smart  and  Vercauteren  [21]  used  these  automorphisms  to  construct  something  similar  to  our  Pack  function 
(though  for  unpacking  they  resorted  to  bootstrapping).  We  also  note  that  Lyubashevsky,  Peikert  and  Regev 
[14]  used  these  automorphisms  to  permute  the  ideal  factors  q,  of  the  modulus  q,  which  was  an  essential  tool 
toward  their  proof  of  the  pseudorandomness  of  RLWE. 

Toward  Pack  and  Unpack  procedures,  our  main  idea  is  the  following.  If  m  is  encoded  in  the  free  term 
as  a  number  in  {0, ...  ,p  —  1}  and  if  m  =  [[(c,  s)]g]Pi,  then  m  =  [[((Ji^.j(c),  cr^j(s))]g]Pj..  That  is,  we  can 
switch  the  plaintext  slot  but  leave  the  decrypted  message  unchanged  by  applying  the  same  automorphism 
to  the  ciphertext  and  the  secret  key.  (These  facts  follow  from  the  fact  that  cr^j  is  a  homomorphism,  that 
it  maps  elements  of  pj  to  elements  of  pj,  and  that  it  fixes  free  terms.)  Of  course,  then  we  have  a  problem: 
the  ciphertext  is  now  under  a  different  key,  whereas  we  may  want  the  ciphertext  to  be  under  the  same  key 
as  other  ciphertexts.  To  get  the  ciphertexts  to  be  back  under  the  same  key,  we  simply  use  the  Switch  Key 
algorithm  to  switch  all  of  the  ciphertexts  to  a  new  common  key. 

Some  technical  remarks  before  we  describe  Pack  and  Unpack  more  formally:  We  mention  again  that 
E.PublicKeyGen  is  modified  in  the  obvious  way  so  that  A-s  =  p-e  rather  than  2-e,  and  that  this  modification 
induces  a  similar  modification  in  Switch KeyGen.  Also,  let  u  G  R  be  a  short  element  such  that  u  G  1  +  pi 
and  u  G  pj  for  all  j  /  1.  It  is  obvious  that  such  a  u  with  coefficients  in  (—p/2,  p/2]  can  be  computed 
efficiently  by  first  picking  any  element  v!  such  that  v!  G  1  +  pi  and  v!  G  pj  for  all  j  ^  1,  and  then  reducing 
the  coefficients  of  u'  modulo  p. 

PackSetup(si,  S2):  Takes  as  input  two  secret  keys  si,S2.  For  all  i  G  [l,d],  it  runs  Tai_^.^ai^a2  <— 
Switch  KeyGen  (cri_s.j(si),  S2). 

Pack({cj}f=1,  {rCTl^.(si)^S2}f=1):  Takes  as  input  ciphertexts  ci, . . . ,  cd  such  that  m,  =  [[(cj,  si)]9]Pl  and 
0  =  [[(cj,  si>yPj  for  all  j  /  1,  and  also  some  auxiliary  information  output  by  PackSetup.  For  all  i,  it  does 
the  following: 

•  Computes  c*  t-  oy^fc j).  (Observe:  m*  =  [[(c*,  <7i-«(si))yPi  while  0  =  [[(c*,(7mi(si))]g]Pi  for 
all  j  /  i.) 

•  Runs  cj  <—  SwitchKey(r(Tl_>.(sl)^.S2,  c* )  (Observe:  Assuming  the  noise  does  not  wrap,  we  have  that 
m  =  [[<ct,s2>yPi  and  0  =  [[<cj,  s2)],]Pj.  for  all  j  +  i .) 

Finally,  it  outputs  c  Yli= 1  cl-  (Observe:  Assuming  the  noise  does  not  wrap,  we  have  that  nrii  = 

[[(c,s2)]q]Pi  for  all  i.) 

UnpackSetup(si,  S2):  Takes  as  input  two  secret  keys  si,  S2.  For  all  i  G  [1,  d],  it  runs 
Switch  KeyGen  (cjj^i(si),  S2). 
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Unpack(c,  {t(T._>1(Si)_).S2}/=1):  Takes  as  input  a  ciphertext  c  such  that  rri,  =  [[(c,  si)]g]Pi  for  all  i,  and  also 
some  auxiliary  information  output  by  UnpackSetup.  For  all  i,  it  does  the  following: 

•  Computes  c j  -t—  u-oy^i  (c).  (Observe:  Assuming  the  noise  does  not  wrap,  rnt  =  [[(cj,  rrt^]  (s]  ))](/]p 
and  0  =  [[(ci,<Tj^.i(si)}]?]pJ.  for  all  j  /  1.) 

•  Outputs  c*  <—  SwitchKey(r0-!^1(S1)_5>S2,  Cj).  (Observe:  Assuming  the  noise  does  not  wrap,  m;  = 
[[«,  s2>UPi  and  0  =  [[«,  s2)}q\Pj  for  all  j  /  1.) 

Splicing  the  Pack  and  Unpack  procedures  into  our  scheme  FHE  is  tedious  but  pretty  straightforward. 
Although  these  procedures  introduce  many  more  encrypted  secret  keys,  this  does  not  cause  a  circular  security 
problem  as  long  as  the  chain  of  encrypted  secret  keys  is  acyclic;  then  the  standard  hybrid  argument  applies. 
After  applying  Pack  or  Unpack,  one  may  apply  modulus  reduction  to  reduce  the  noise  back  down  to  normal. 

5.4  More  Fun  with  Funky  Plaintext  Spaces 

In  some  cases,  it  might  be  nice  to  have  a  plaintext  space  isomorphic  to  Zp  for  some  large  prime  p  -  e.g., 
one  exponential  in  the  security  parameter.  So  far,  we  have  been  using  Rp  as  our  plaintext  space,  and  (due 
to  the  rounding  step  in  modulus  switching)  the  size  of  the  noise  after  modulus  switching  is  proportional  to 
p.  When  p  is  exponential,  our  previous  approach  for  handling  the  noise  (which  keeps  the  magnitude  of  the 
noise  polynomial  in  A)  obviously  breaks  down. 

To  get  a  plaintext  space  isomorphic  to  Zp  that  works  for  exponential  p,  we  need  a  new  approach.  Instead 
of  using  an  integer  modulus,  we  will  use  an  ideal  modulus  I  (an  ideal  of  II)  whose  norm  is  some  large  prime 
p,  but  such  that  we  have  a  basis  Bj  of  /  that  is  very  short  -  e.g.  \\Bj  ||  =  0(poly(d)  •  pl/d).  Using  an  ideal 
plaintext  space  forces  us  to  modify  the  modulus  switching  technique  nontrivially. 

Originally,  when  our  plaintext  space  was  R-2 ,  each  of  the  moduli  in  our  “ladder”  was  odd  -  that  is,  they 
were  all  congruent  to  each  other  modulo  2  and  relatively  prime  to  2.  Similarly,  we  will  have  to  choose  each 
of  the  moduli  in  our  new  ladder  so  that  they  are  all  congruent  to  each  other  modulo  I.  (This  just  seems 
necessary  to  get  the  scaling  to  work,  as  the  reader  will  see  shortly.)  This  presents  a  difficulty,  since  we 
wanted  the  norm  of  I  to  be  large  -  e.g.,  exponential  in  the  security  parameter.  If  we  choose  our  moduli  q:j  to 
be  integers,  then  we  have  that  the  integer  qj+ \  —  qj  £  I  -  in  particular,  q:j+\  —  q.j  is  a  multiple  of  T s  norm, 
implying  that  the  qj'  s  are  exponential  in  the  security  parameter.  Having  such  large  qy  ’s  does  not  work  well 
in  our  scheme,  since  the  underlying  lattice  problems  becomes  easy  when  q3  / B  is  exponential  in  d  where 
B  is  a  bound  of  the  noise  distribution  of  fresh  ciphertexts,  and  since  we  need  B  to  remain  quite  small  for 
our  new  noise  management  approach  to  work  effectively.  So,  instead,  our  ladder  of  moduli  will  also  consist 
of  ideals  -  in  particular,  principle  ideals  (qj)  generated  by  an  element  of  qj  £  R.  Specifically,  it  is  easy  to 
generate  a  ladder  of  qj ’s  that  are  all  congruent  to  1  moduli  I  by  sampling  appropriately-sized  elements  q3 
of  the  coset  1  +  I  (using  our  short  basis  of  I),  and  testing  whether  the  principal  ideal  ( q3 )  generated  by  the 
element  has  appropriate  norm. 

Now,  let  us  reconsider  modulus  switching  in  light  of  the  fact  that  our  moduli  arc  now  principal  ideals. 
We  need  an  analogue  of  Lemma  4  that  works  for  ideal  moduli. 

Let  us  build  up  some  notation  and  concepts  that  we  will  need  in  our  new  lemma.  Let  Vq  be  the  half-open 
parallelepiped  associated  to  the  rotation  basis  of  q  £  It.  The  rotation  basis  By  of  q  is  the  (/-dimensional 
basis  formed  by  the  coefficient  vectors  of  the  polynomials  xlq{x)  mod  f(x)  for  i  £  0.  d—  1].  The  associated 
parallelepiped  is  Vq  =  %i  ■  bj  :  bj  £  By,  zt  £  [—1/2, 1/2)}.  We  need  two  concepts  associated  to  this 
parallelepiped.  First,  we  will  still  use  the  notation  [a]9,  but  where  q  is  now  an  /(-element  rather  than  integer. 
This  notation  refers  to  a  reduced  modulo  the  rotation  basis  of  a  -  i.e.,  the  element  [«] q  such  that  [a]q—a  £  qR 
and  [a]q  £  Vq.  Next,  we  need  notions  of  the  inner  radius  rqjn  and  outer  radius  rqjyilt  of  Vq  -  that  is,  the 
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largest  radius  of  a  ball  that  is  circumscribed  by  Vq,  and  the  smallest  radius  of  a  ball  that  circumscribes  Vq.  It 
is  possible  to  choose  q  so  that  the  ratio  rq)OUt/rqqn  is  poly(d).  For  example,  this  is  true  when  q  is  an  integer. 

For  a  suitable  value  of  f(x )  that  determines  our  ring,  such  as  f(x)  =  xd  +  1,  the  expected  value  of  ratio 
will  be  poly ( r/j  even  if  q  is  sampled  uniformly  (e.g.,  according  to  discrete  Gaussian  distribution  centered  at 
0).  More  generally,  we  will  refer  to  r-B,out  as  the  outer  radius  associated  to  the  parallelepiped  determined  by 
basis  B.  Also,  in  the  field  O(x) /fix)  overlying  this  ring,  it  will  be  true  with  overwhelming  probability,  if  q 
is  sampled  uniformly,  that  ||g“  1 1  =  1  / 1 1  g  1 1  up  to  a  poly  (d)  factor.  For  convenience,  let  a(d)  be  a  polynomial 
such  that  ||g_1||  =  l/||g|j  up  to  a  a(d )  factor  and  moreover  rqtOUt/rqqn  is  at  most  a(d )  with  overwhelming 
probability.  For  such  an  a,  we  say  q  is  o  -good.  Finally,  in  the  lemma,  7 R  denotes  the  expansion  factor  of  It 

-  i.e.,  max{||a  •  b||/||a||  ||b||  :  a,  b  6  i?}. 

Lemma  11.  Let  q\  and  q2,  1 1 <yi  ||  <  ||^2 1|>  ke  two  a-good  elements  of  R.  Let  B 7  be  a  short  basis  (with  outer 
radius  r-Ql0ut)  of  an  ideal  I  of  R  such  that  q\—q2  €  I.  Let  c  be  an  integer  vector  and  c'  <—  Scalefc.  q2.  q\ ,  I) 

-  that  is,  c!  is  an  R-element  at  most  2rB7.o?it  distant  from  (qi/qf)  •  c  such  that  c'  —  c  G  I.  Then,  for  any  s 
with 

ll[<c,s)U  <  (rq2M/a{df  -  (M/Mbfl  ■  2rBI)OUt  -^(s))  /(«(d)  '  7r) 

we  have 

[<c/.  s)]<?i  =  [(C)  s)]cj2  mod  I  and  ||[(c,,s)]9l||  <  a(d)  ■  y2R- (\\qi\\/\\q2\\)  ■  ||[<c,s)]g2||  +  7^  •  2rBl,out  •  e[R)(s) 

where  l[R\s)  is  defined  as  ||s[z]  ||. 

Proof.  We  have 

KC>S)]«J2  =  (c>s)  -  kQ2 

for  some  k  €  R.  For  the  same  k,  let 

eqi  =  (c',s)  -kqi€  R 

Note  that  eqi  =  [(c',  s)]91  mod  gi.  We  claim  that  ||e91 1|  is  so  small  that  eqi  =  [(c',  s)]gi.  We  have: 

\\eqi  II  =  II  -  kqi  +  ((91/92)  •  c,s)  +  <c'  -  (91/92)  •  c,s)  || 

<  II  -  kqi  +  ((91/92)  •  c,  s)  ||  +  ||  (c'  -  (91/92)  •  C,  s)  || 

<  7 R  ■  II91/92II  •  ||[(c,s)]g2||  +7a  •  2 rBl,ouft[R)(s) 

<7 R-  II91II  •  Il92-i||  •  I|[(c,s)]?2||  +7fl-2rBIl0ut -4fl)(s) 

<  a(d)  -7r-  (II91II/II92II)  •  II [(c, s)]?2 1|  +7R-2rB/ ,out  ■  ^ (s) 

By  the  final  expression  above,  we  see  that  the  magnitude  of  eqi  may  actually  be  less  than  the  magnitude 
of  eq2  if  || 91 1| /|| 92 1|  is  small  enough.  Let  us  continue  with  the  inequalities,  substituting  in  the  bound  for 

ll[(c,s)U: 

KJ  <  a(d)  ■  •  (||gi||/IM)  •  ( rq2:in/a(d )2  -  (H92II/H91  ||)7R  ■  2rB/>0Ut  ■  4R)(S))  /(a(d)  ■  7 r) 

+7 R  ■  2rB uout  -4R)(s) 

<  (II91II/II92II)  •  (rq2M/a(d)2  -  (\\q2\\/\\qi\\)^R  ■  2r^Itaut  ■  +yR-2 rBl^out  ■  £{R\s) 

<  (rqi,in  -  7 R  ■  2 rBl,out  ■  ^O3))  +  7 R  ■  2rB uout  ■  4R)(S) 

—  Tq\,in 
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Since  ||e?1 1|  <  rqi^n,  eqi  is  inside  the  parallelepiped  Vqi  and  it  is  indeed  true  that  eqi  =  [(c',  s)]qi.  Further¬ 
more,  we  have  [(c',  s)]91  =  eqi  =  (c',  s)  —  kq\  =  (c,  s)  —  kq-2  =  [(c,  s)]92  mod  I.  □ 

The  bottom  line  is  that  we  can  apply  the  modulus  switching  technique  to  moduli  that  are  ideals,  and  this 
allows  us  to  use,  if  desired,  plaintext  spaces  that  are  very  large  (exponential  in  the  security  parameter)  and 
that  have  properties  that  arc  often  desirable  (such  as  being  isomorphic  to  a  large  prime  field). 

5.5  Other  Optimizations 

If  one  is  willing  to  assume  circular  security,  the  keys  { s; }  may  all  be  the  same,  thereby  permitting  a  public 
key  of  size  independent  of  L. 

While  it  is  not  necessary,  squashing  may  still  be  a  useful  optimization  in  practice,  as  it  can  be  used  to 
lower  the  depth  of  the  decryption  function,  thereby  reducing  the  size  of  the  largest  modulus  needed  in  the 
scheme,  which  may  improve  efficiency. 

For  the  LWE-based  scheme,  one  can  use  key  switching  to  gradually  reduce  the  dimension  rij  of  the 
ciphertext  (and  secret  key)  vectors  as  q.j  decreases  -  that  is,  as  one  traverses  to  higher  levels  in  the  circuit. 
As  qj  decreases,  the  associated  LWE  problem  becomes  (we  believe)  progressively  harder  (for  a  fixed  noise 
distribution  %).  This  allows  one  to  gradually  reduce  the  dimension  n?  without  sacrificing  security,  and 
reduce  ciphertext  length  faster  (as  one  goes  higher  in  the  circuit)  than  one  could  simply  by  decreasing  qj 
alone. 

6  Summary  and  Future  Directions 

Our  RLWE-based  FHE  scheme  without  bootstrapping  requires  only  ()(X  ■  L3)  per-gate  computation  where  L 
is  the  depth  of  the  circuit  being  evaluated,  while  the  bootstrapped  version  has  only  0(A2)  per-gate  computa¬ 
tion.  For  circuits  of  width  0(A),  we  can  use  batching  to  reduce  the  per-gate  computation  of  the  bootstrapped 
version  by  another  factor  of  A. 

While  these  schemes  should  perform  significantly  better  than  previous  FHE  schemes,  we  caution  that  the 
polylogarithmic  factors  in  the  per-gate  computation  are  large.  One  future  direction  toward  a  truly  practical 
scheme  is  to  tighten  up  these  polylogarithmic  factors  considerably. 

Acknowledgments.  We  thank  Carlos  Aguilar  Melchor,  Boaz  Barak,  Shai  Halevi,  Chris  Peikert,  Nigel 
Smart,  and  Jiang  Zhang  for  helpful  discussions  and  insights. 

References 

[1]  Benny  Applebaum,  David  Cash,  Chris  Peikert,  and  Amit  Sahai.  Fast  cryptographic  primitives  and 
circular-secure  encryption  based  on  hard  learning  problems.  In  CRYPTO ,  volume  5677  of  Lecture 
Notes  in  Computer  Science,  pages  595-618.  Springer,  2009. 

[2]  Dan  Boneh,  Eu-Jin  Goh,  and  Kobbi  Nissim.  Evaluating  2-DNF  formulas  on  ciphertexts.  In  Proceed¬ 
ings  of  Theory  of  Cryptography  Conference  2005,  volume  3378  of  LNCS,  pages  325-342,  2005. 

[3]  Zvika  Brakerski  and  Vinod  Vaikuntanathan.  Efficient  fully  homomorphic  encryption  from  (standard) 
lwe.  Manuscript,  to  appear  in  FOCS  2011,  available  at  http://eprint.iacr.org/201 1/344. 

[4]  Zvika  Brakerski  and  Vinod  Vaikuntanathan.  Fully  homomorphic  encryption  from  ring-lwe  and  security 
for  key  dependent  messages.  Manuscript,  to  appeal-  in  CRYPTO  2011. 

[5]  Jean-Sebastien  Coron,  Avradip  Mandal,  David  Naccache,  and  Mehdi  Tibouchi.  Fully-homomorphic 
encryption  over  the  integers  with  shorter  public -keys.  Manuscript,  to  appeal-  in  Crypto  2011. 


24 


Approved  for  Public  Release;  Distribution  Unlimited. 
89 


[6]  Marten  van  Dijk,  Craig  Gentry,  Shai  Halevi,  and  Vinod  Vaikuntanathan.  Fully  homomorphic  en¬ 
cryption  over  the  integers.  In  Advances  in  Cryptology  -  EUROCRYPT’  10,  volume  6110  of  Lec¬ 
ture  Notes  in  Computer  Science,  pages  24-43.  Springer,  2010.  Full  version  available  on-line  from 
http : //eprint . iacr . org/2009/616. 

[7]  Craig  Gentry.  A  fully  homomorphic  encryption  scheme.  PhD  thesis,  Stanford  University,  2009. 
crypto . stanford.edu/craig. 

[8]  Craig  Gentry.  Fully  homomorphic  encryption  using  ideal  lattices.  In  Michael  Mitzenmacher,  editor, 
STOC,  pages  169-178.  ACM,  2009. 

[9]  Craig  Gentry  and  Shai  Halevi.  Fully  homomorphic  encryption  without  squashing  using  depth-3  arith¬ 
metic  circuits.  Manuscript,  to  appeal-  in  FOCS  2011,  available  at  http://eprint.iacr.org/2011/279. 

[10]  Craig  Gentry  and  Shai  Halevi.  Implementing  gentry’s  fully-homomorphic  encryption  scheme.  In 
EUROCRYPT,  volume  6632  of  Lecture  Notes  in  Computer  Science,  pages  129-148.  Springer,  2011. 

[11]  Shai  Halevi,  201 1.  Personal  communication. 

[12]  Yuval  Ishai  and  Anat  Paskin.  Evaluating  branching  programs  on  encrypted  data.  In  Salil  P.  Vadhan, 
editor,  TCC,  volume  4392  of  Lecture  Notes  in  Computer  Science,  pages  575-594.  Springer,  2007. 

[13]  Kristin  Lauter,  Michael  Naehrig,  and  Vinod  Vaikuntanathan.  Can  homomorphic  encryption  be  practi¬ 
cal?  Manuscript  at  http://eprint.iacr.org/201 1/405,  201 1. 

[14]  Vadim  Lyubashevsky,  Chris  Peikert,  and  Oded  Regev.  On  ideal  lattices  and  learning  with  errors  over 
rings.  In  EUROCRYPT,  volume  61 10  of  Lecture  Notes  in  Computer  Science,  pages  1-23,  2010. 

[15]  Carlos  Aguilar  Melchor,  Philippe  Gaborit,  and  Javier  Herranz.  Additively  homomorphic  encryption 
with  -operand  multiplications.  In  Tal  Rabin,  editor,  CRYPTO,  volume  6223  of  Lecture  Notes  in  Com¬ 
puter  Science,  pages  138-154.  Springer,  2010. 

[16]  Chris  Peikert.  Public-key  cryptosystems  from  the  worst-case  shortest  vector  problem:  extended  ab¬ 
stract.  In  STOC,  pages  333-342.  ACM,  2009. 

[17]  Oded  Regev.  On  lattices,  learning  with  errors,  random  linear  codes,  and  cryptography.  In  Harold  N. 
Gabow  and  Ronald  Fagin,  editors,  STOC,  pages  84-93.  ACM,  2005. 

[18]  Oded  Regev.  The  learning  with  errors  problem  (invited  survey).  In  IEEE  Conference  on  Computational 
Complexity,  pages  191-204.  IEEE  Computer  Society,  2010. 

[19]  Ron  Rivest,  Leonard  Adleman,  and  Michael  L.  Dertouzos.  On  data  hanks  and  privacy  homomorphisms. 
In  Foundations  of  Secure  Computation,  pages  169-180,  1978. 

[20]  Nigel  P.  Smart  and  Frederik  Vercauteren.  Fully  homomorphic  encryption  with  relatively  small  key  and 
ciphertext  sizes.  In  Public  Key  Cryptography  -  PKC’10,  volume  6056  of  Lecture  Notes  in  Computer- 
Science,  pages  420-443.  Springer,  2010. 

[21]  Nigel  P.  Smart  and  Frederik  Vercauteren.  Fully  homomorphic  SIMD  operations.  Manuscript  at 
http://eprint.iacr.org/2011/133,  2011. 


25 


Approved  for  Public  Release;  Distribution  Unlimited. 

90 


[22]  Damien  Stehle  and  Ron  Steinfeld.  Faster  fully  homomorphic  encryption.  In  ASIACRYPT,  volume 
6477  of  Lecture  Notes  in  Computer  Science,  pages  377-394.  Springer,  2010. 


26 


Approved  for  Public  Release;  Distribution  Unlimited. 

91 


On-the-Fly  Multiparty  Computation  on  the  Cloud  via  Multikey 

Fully  Homomorphic  Encryption 


Adriana  Lopez- Alt  Eran  Tromer  Vinod  Vaikuntanathan 

New  York  University  Tel  Aviv  University  MIT 


Abstract 

We  propose  a  new  notion  of  secure  multiparty  computation  aided  by  a  computationally- 
powerful  but  untrusted  “cloud”  server.  In  this  notion  that  we  call  on-the-fly  multiparty  compu¬ 
tation  (MPC),  the  cloud  can  non-interactively  perform  arbitrary,  dynamically  chosen  computa¬ 
tions  on  data  belonging  to  arbitrary  sets  of  users  chosen  on-the-fly.  All  user’s  input  data  and 
intermediate  results  are  protected  from  snooping  by  the  cloud  as  well  as  other  users.  This  ex¬ 
tends  the  standard  notion  of  fully  homomorphic  encryption  (FHE),  where  users  can  only  enlist 
the  cloud’s  help  in  evaluating  functions  on  their  own  encrypted  data. 

In  on-the-fly  MPC,  each  user  is  involved  only  when  initially  uploading  his  (encrypted)  data 
to  the  cloud,  and  in  a  final  output  decryption  phase  when  outputs  are  revealed;  the  complexity 
of  both  is  independent  of  the  function  being  computed  and  the  total  number  of  users  in  the 
system.  When  users  upload  their  data,  they  need  not  decide  in  advance  which  function  will  be 
computed,  nor  who  they  will  compute  with;  they  need  only  retroactively  approve  the  eventually- 
chosen  functions  and  on  whose  data  the  functions  were  evaluated. 

This  notion  is  qualitatively  the  best  possible  in  minimizing  interaction,  since  the  users’ 
interaction  in  the  decryption  stage  is  inevitable:  we  show  that  removing  it  would  imply  generic 
program  obfuscation  and  is  thus  impossible. 

Our  contributions  are  two- fold: 

1.  We  show  how  on-the-fly  MPC  can  be  achieved  using  a  new  type  of  encryption  scheme  that 
we  call  multikey  FHE,  which  is  capable  of  operating  on  inputs  encrypted  under  multiple, 
unrelated  keys.  A  ciphertext  resulting  from  a  multikey  evaluation  can  be  jointly  decrypted 
using  the  secret  keys  of  all  the  users  involved  in  the  computation. 

2.  We  construct  a  multikey  FHE  scheme  based  on  NTRU,  a  very  efficient  public- key  encryp¬ 
tion  scheme  proposed  in  the  1990s.  It  was  previously  not  known  how  to  make  NTRU  fully 
homomorphic  even  for  a  single  party.  We  view  the  construction  of  (multikey)  FHE  from 
NTRU  encryption  as  a  main  contribution  of  independent  interest.  Although  the  transfor¬ 
mation  to  a  fully  homomorphic  system  deteriorates  the  efficiency  of  NTR.U  somewhat,  we 
believe  that  this  system  is  a  leading  candidate  for  a  practical  FHE  scheme. 
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1  Introduction 


We  are  fast  approaching  a  new  digital  era  in  which  we  store  our  data  and  perform  our  expen¬ 
sive  computations  remotely,  on  powerful  servers  —  the  “cloud”,  in  popular  parlance.  While  the 
cloud  offers  numerous  advantages  in  costs  and  functionality,  it  raises  grave  questions  of  confiden¬ 
tiality,  since  data  stored  in  the  cloud  could  be  vulnerable  to  snooping  by  the  cloud  provider  or 
even  by  other  cloud  clients  [RTSS09].  Since  this  data  often  contains  sensitive  information  (e.g., 
personal  conversations,  medical  information  and  organizational  secrets),  it  is  prudent  for  the  users 
to  encrypt  their  data  before  storing  it  in  the  cloud.  Recent  advances  in  fully  homomorphic  en¬ 
cryption  (FHE)  [Gen09b,  vDGHVIO,  BVllb,  BVlla,  GHlla,  BGV12]  make  it  possible  to  perform 
arbitrary  computations  on  encrypted  data,  thus  enabling  the  prospect  of  personal  computers  and 
mobile  devices  as  trusted  but  weak  interfaces  to  a  powerful  but  untrusted  cloud  on  which  the  bulk 
of  computing  is  performed. 

FHE  is  only  suitable  in  settings  where  the  computations  involve  a  single  user,  since  it  requires 
inputs  to  be  encrypted  under  the  same  key.  However,  there  are  many  scenarios  where  users,  who 
have  uploaded  their  large  data  stores  to  the  cloud  in  encrypted  form,  then  decide  to  compute  some 
joint  function  of  their  data.  For  example,  they  may  wish  the  cloud  to  compute  joint  statistical 
information  on  their  databases,  locate  common  files  in  their  collections,  run  a  computational  agent 
to  reach  a  decision  based  on  their  pooled  data  (without  leaking  anything  but  the  final  decision),  or 
generally,  in  contexts  where  multiple  (mutually  distrusting)  users  need  to  pool  together  their  data 
to  achieve  a  common  goal. 

The  multiparty  scenario  is  significantly  more  complex,  and  comes  with  a  set  of  natural  but 
stringent  requirements.  First,  the  participants  involved  in  the  computation  and  the  function  to 
be  computed  may  be  dynamically  chosen  on-the-fly,  well  after  the  data  has  been  encrypted  and 
uploaded  to  the  cloud.  Secondly,  once  the  function  is  chosen,  we  should  not  expect  the  users  to  be 
online  all  the  time,  and  consequently  it  is  imperative  that  the  cloud  be  able  to  perform  the  bulk  of 
this  computation  (on  the  encrypted  data  belonging  to  the  participants)  non-interactively,  without 
consulting  the  participants  at  all.  Finally,  all  the  burden  of  computation  should  indeed  be  carried 
by  the  cloud:  the  computational  and  communication  complexity  of  the  users  should  depend  only  on 
the  size  of  the  individual  inputs  and  the  output,  and  should  be  independent  of  both  the  complexity 
of  the  function  computed  and  the  total  number  of  users  in  the  system,  both  of  which  could  be  very 
large. 

On-the-Fly  Multiparty  Computation.  Consider  a  setting  with  a  large  universe  of  computa¬ 
tionally  weak  users  and  a  powerful  cloud.  An  on-the-fly  multiparty  computation  protocol  proceeds 
thus: 

1.  The  numerous  users  each  encrypt  their  data  and  upload  them  to  the  cloud,  unaware  of  the 
identity  or  even  the  number  of  other  users  in  the  system.  Additional  data  may  arrive  directly 
to  the  cloud,  encrypted  under  users’  public  keys  (e.g.,  as  encrypted  emails  arriving  to  a 
cloud-based  mailbox) . 

2.  The  cloud  decides  to  evaluate  an  arbitrary  dynamically  chosen  function  on  the  data  of  ar¬ 
bitrary  subset  of  users  chosen  on-the-fly.  (The  choice  may  be  by  some  users’  request,  or 
as  a  service  to  compute  the  function  on  the  data  of  parties  fulfilling  some  criterion,  or  by 
a  need  autonomously  anticipated  by  the  cloud  provider,  etc.)  The  cloud  can  perform  this 

1 


Approved  for  Public  Release;  Distribution  Unlimited. 

95 


computation  non-interactively,  without  any  further  help  from  the  users.  The  result  is  still 
encrypted. 

3.  The  cloud  and  the  subset  of  users  whose  data  was  used  in  the  computation  interact  in  a 
decryption  phase.  At  this  point  the  users  retroactively  approve  the  choice  of  function  and  the 
choice  of  peer  users  on  whose  data  the  function  was  evaluated,  and  cooperate  to  retrieve  the 
output. 

Crucially,  the  computation  and  communication  of  all  the  users  (including  the  cloud)  in  the 
decryption  phase  should  be  independent  of  both  the  complexity  of  the  function  computed,  and  the 
size  of  the  universe  of  parties  (both  of  which  can  be  enormous).  Instead,  the  effort  expended  by 
the  cloud  and  the  users  in  this  phase  should  depend  only  on  the  size  of  the  output  and  the  number 
of  users  who  participated  in  the  computation.  Also  crucially,  the  users  need  not  be  online  at  all 
during  the  bulk  of  the  computation;  they  need  to  “wake  up”  only  when  it  is  time  to  decrypt  the 
output. 

We  call  this  an  on-the-fly  multiparty  computation  (or  on-the-fly  MPC in  short)  to  signify  the  fact 
that  the  functions  to  be  computed  on  the  encrypted  data  and  the  participants  in  the  computation 
are  both  chosen  on-the-fly  and  dynamically,  without  possibly  even  the  knowledge  of  the  participants. 
Protocols  following  this  framework  have  additional  desirable  features  such  as  the  ability  for  users 
to  “join”  a  computation  asynchronously. 

Possible  Approaches  (and  Why  They  Do  Not  Work).  The  long  line  of  work  on  secure 
multiparty  computation  (MPC)  [GMW87,  BGW88,  CCD88,  Yao82]  does  not  seem  to  help  us 
construct  on-the-fly  MPC  protocols  since  the  computational  and  communication  complexities  of 
all  the  parties  in  these  protocols  depends  polynonrially  on  the  complexity  of  the  function  being 
computed.1  In  contrast,  we  are  dealing  with  an  asymmetric  setting  where  the  cloud  computes  a 
lot,  but  the  users  compute  very  little.  (Nevertheless,  we  will  use  the  traditional  MPC  protocols  to 
interactively  compute  the  decryption  function  at  the  end.) 

Fully  homomorphic  encryption  (FHE)  is  appropriate  in  such  an  asymmetric  setting  of  computing 
with  the  cloud.  Yet,  traditional  FHE  schemes  are  single-key  in  the  sense  that  they  can  perform 
(arbitrarily  complex)  computations  on  inputs  encrypted  under  the  same  key.  In  our  setting,  since 
the  parties  do  not  trust  each  other,  they  will  most  certainly  not  want  to  encrypt  their  inputs  using 
each  other’s  keys.  Nevertheless,  Gentry  [Gen09a]  proposed  the  following  way  of  using  single-key 
FHE  schemes  in  order  to  do  multiparty  computation:  first,  the  parties  run  a  (short)  MPC  protocol 
to  compute  a  joint  public  key,  where  the  matching  secret  key  is  secret-shared  among  all  the  parties. 
The  parties  then  encrypt  their  inputs  under  the  joint  public  key  and  send  the  ciphertexts  to  the 
cloud  who  then  uses  the  FHE  scheme  to  compute  an  encryption  of  the  result.  Finally,  the  parties  run 
yet  another  (short)  MPC  protocol  to  recover  the  result.  A  recent  work  by  Asharov  et  al.  [AJL+12] 
extends  this  schema  and  makes  it  efficient  in  terms  of  the  concrete  round,  communication  and 
computational  complexity. 

This  line  of  work  does  not  address  the  dynamic  and  non-interactive  nature  of  on-the-fly  MPC. 
In  particular,  once  a  subset  of  parties  and  a  function  are  chosen,  the  protocols  of  [Gen09a,  AJL+12] 
require  the  parties  to  be  online  and  run  an  interactive  MPC  protocol  to  generate  a  joint  public  key. 
In  contrast,  we  require  that  once  the  function  and  a  subset  of  parties  is  chosen,  the  cloud  performs 

lrThe  works  of  Damgard  et  al.  [DII<+08,  DIK10]  are  an  exception  to  this  claim.  However,  it  is  not  clear  how  to 
build  upon  these  results  to  address  the  dynamic  and  non-interactive  nature  of  on-the-fly  MPC. 
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the  (expensive)  computations  non-interactively,  without  help  from  any  of  the  users.  It  would 
also  be  unsatisfactory  to  postpone  the  (lengthy)  computation  of  the  function  until  the  interactive 
decryption  phase;  indeed,  we  require  that  once  the  users  “wake  up”  for  the  decryption  phase,  the 
running  time  of  all  parties  is  independent  of  the  complexity  of  the  function  being  computed.  Thus, 
even  the  feasibility  of  on-the-fly  MPC  is  not  addressed  by  existing  techniques. 

1.1  Our  Results  and  Techniques 

We  present  a  new  notion  of  fully  homomorphic  encryption  (FHE)  that  we  call  a  multikey  FHE 
that  permits  computation  on  data  encrypted  under  multiple  unrelated  keys;  a  new  construction  of 
multikey  FHE  based  on  the  NTRU  encryption  scheme  (originally  proposed  by  Hoffstein,  Pipher 
and  Silverman  [HPS98]);  and  a  new  method  of  achieving  on-the-fly  multiparty  computation  (for 
any  a-priori  bounded  number  of  users)  using  a  multikey  FHE  scheme.  Although  the  number  of 
users  involved  in  any  computation  has  to  be  bounded  in  our  solution,  the  total  number  of  users  in 
the  system  is  arbitrary. 


Multikey  FHE.  An  N -key  fully  homomorphic  encryption  scheme  is  the  same  as  a  regular  FHE 
scheme  with  two  changes.  First,  the  homomorphic  evaluation  algorithm  takes  in  polynomially  many 
ciphertexts  encrypted  under  at  most  N  keys,  together  with  the  corresponding  evaluation  keys,  and 
produces  a  ciphertext.  Second,  in  order  to  decrypt  the  resulting  ciphertext,  one  uses  all  the  involved 
secret  keys.  As  mentioned  above,  one  of  our  main  contributions  is  a  construction  of  N- key  FHE 
for  any  N  e  N  from  the  NTRU  encryption  scheme.  We  give  an  overview  of  our  construction  below 
(in  Section  1.2)  and  refer  the  reader  to  Section  3.3  for  more  details. 

Our  NTRU-based  construction  raises  a  natural  question:  can  any  other  FHE  schemes  be  made 
multikey?  We  show  that  any  FHE  scheme  is  inherently  a  multikey  FHE  for  a  constant  number 
of  keys  (in  the  security  parameter),  i.e.  it  can  homonrorphically  evaluate  functions  on  ciphertexts 
encrypted  under  at  most  a  constant  number  of  keys.2  Furthermore,  we  show  that  the  Ring-LWE 
based  FHE  scheme  of  Brakerski  and  Vaikuntanathan  [BVllb]  is  multikey  homomorphic  for  a  log¬ 
arithmic  number  of  keys,  but  only  for  circuits  of  logarithmic  depth.  This  arises  from  the  fact  that 
when  multiple  keys  are  introduced,  it  is  no  longer  clear  how  to  use  relinearization  or  squashing  to 
go  beyond  somewhat  homomorphism.  We  refer  the  reader  to  Section  3.2  for  more  details. 


On-the-Fly  MPC  from  Multikey  FHE.  A  multikey  FHE  scheme  is  indeed  the  right  tool  to 
perform  on-the-fly  MPC  as  shown  by  the  following  simple  protocol:  the  users  encrypt  their  inputs 
using  their  own  public  keys  and  send  the  ciphertexts  to  the  cloud,  the  cloud  then  computes  a 
dynamically  chosen  function  on  an  arbitrary  subset  of  parties  using  the  multikey  property  of  the 
FHE  scheme,  and  finally,  the  users  together  run  an  interactive  MPC  protocol  in  order  to  decrypt. 
Note  that  the  users  can  be  offline  during  the  bulk  of  the  computation,  and  they  need  to  participate 
only  in  the  final  cheap  interactive  decryption  process.  Note  also  that  participants  in  the  protocol 
need  not  be  aware  of  the  entire  universe  of  users,  but  only  those  users  that  participate  in  a  joint 
computation.  This  simple  protocol  provides  us  security  against  a  semi-malicious  collusion  [AJW11, 
AJL+12]  of  the  cloud  with  an  arbitrary  subset  of  parties.  We  then  show  how  to  achieve  security 

2This  construction  was  originally  suggested  to  us  by  an  anonymous  STOC  2012  reviewer;  we  include  it  here  for 
completeness. 
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against  a  malicious  adversary  using  zero-knowledge  proofs  and  succinct  argument  systems  [Kil92, 
Kil95,  Mic94,  GKR08,  GLR11,  BCCT12,  BCCT13]. 

We  further  remark  that  the  computation  of  the  decryption  function  can  itself  be  outsourced  to 
the  cloud.  In  particular,  using  the  cloud-assisted  MPC  protocol  of  Asharov  et  al.  [AJL"I_12]  yields 
an  on-the-fly  MPC  protocol  with  one  offline  round  and  5  online  rounds  (for  decryption). 

We  give  an  overview  of  our  construction  below  (in  Section  1.3)  and  refer  the  reader  to  Section  4 
for  more  details. 


Completely  Non-Interactive  On-the-Fly  MPC?  We  know  from  the  work  of  Halevi,  Lindell, 
and  Pinkas  [HLP11]  that  in  the  non-interactive  setting,  the  server  can  always  evaluate  the  circuit 
multiple  times,  keeping  some  parties  inputs  but  plugging  in  fake  inputs  of  its  choosing  for  the  other 
parties.  However,  even  if  we  accept  this  as  the  ideal  functionality,  we  show  that  a  non-interactive 
online  phase  cannot  be  achieved  by  drawing  on  the  impossibility  of  general  program  obfuscation 
as  a  virtual  black-box  with  single-bit  output  [BGI+01].  Thus,  our  notion  is  qualitatively  “the  best 
possible”  in  terms  of  interaction.  Our  techniques  in  showing  this  negative  result  are  inspired  by 
those  of  van  Dijk  and  Juels  [vDJIO].  We  refer  the  reader  to  Section  4.3  for  more  details. 

1.2  (Multikey)  Fully  Homomorphic  Encryption  from  NTRU 

The  starting  point  for  our  main  construction  of  multikey  FHE  is  the  NTRU  encryption  scheme  of 
Hoffstein,  Pipher,  and  Silverman  [HPS98],  with  the  modifications  of  Stehle  and  Steinfeld  [SSI lb]. 
NTRU  encryption  is  one  of  the  earliest  lattice-based  cryptosystems,  together  with  the  Ajtai-Dwork 
cryptosystem  [AD97]  and  the  Goldreich-Goldwasser-Halevi  cryptosystem  [GGH97].  One  of  our 
most  important  contributions  is  to  show  that  NTRU  can  be  made  fully  homomorphic  (for  a  single 
key)3  and  moreover,  that  the  resulting  scheme  can  handle  homomorphic  evaluations  on  ciphertexts 
encrypted  under  any  number  of  different  and  independent  keys. 

We  find  this  contribution  particularly  interesting  because  NTRU  was  originally  designed  to  be  an 
efficient  public-key  encryption  scheme,  meant  to  replace  RSA  in  applications  where  computational 
efficiency  is  at  a  premium  (e.g.  in  applications  that  run  on  smart  cards  and  embedded  systems). 
Although  the  transformation  to  fully  homomorphic  encryption  degrades  the  efficiency  of  the  scheme, 
we  believe  it  to  be  a  leading  candidate  for  a  practical  FHE  scheme.  Therefore,  we  view  this  as  an 
important  contribution  of  independent  interest. 

In  this  section  we  give  an  overview  of  our  construction,  and  refer  the  reader  to  Section  3.3  for 
more  details. 


NTRU  Encryption.  We  describe  the  modified  NTRU  scheme  of  Stehle  and  Steinfeld  [SSI lb] , 
which  is  based  on  the  original  NTRU  cryptosystem  [HPS98].  The  scheme  is  parametrized  by  the 

ring  R  =f  T,[x\/ (xn  +  1),  where  n  is  a  power  of  two,  an  odd  prime  number  q,  and  a  B-bounded 
distribution  y  over  R,  for  B  <C  q.  By  “B-bounded”,  we  mean  that  the  magnitude  of  the  coefficients 

def 

of  a  polynomial  sampled  from  y  is  guaranteed  to  be  less  than  B.  We  define  Rq  —  R/qR ,  and  use 
[  -  ]g  to  denote  coefficient-wise  reduction  modulo  q  into  the  set  {—  |_|J  , . . . ,  |_|J  }. 

3The  observation  that  NTRU  can  be  made  single-key  fully  homomorphic  was  made  concurrently  by  Gentry  et 
al.[GHL+ll]. 
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•  Keygen(lK):  Key  generation  samples  “small”  polynomials  f',g  <—  x  ands  sets  /  =  2 f  +  1 
so  that  /  (mod  2)  =  1.  If  /  is  not  invertible  in  Rq,  it  resamples  f .  Otherwise,  it  computes 
the  inverse  /_1  of  /  in  Rq  and  sets 

sk  =  /  and  Pk  =  [2  gf~1]q 

•  Enc(pk,m):  To  encrypt  a  bit  m  G  {0, 1},  the  encryption  algorithm  samples  “small”  polyno¬ 
mials  s,  e  < —  Xi  and  outputs  the  ciphertext 

c  =  [h-s  +  2e  +  m]q 

•  Dec(sk,  c):  To  decrypt  a  ciphertext  c,  the  decryption  algorithm  computes  g  =  [fc]  and 
returns  g  (mod  2). 

Correctness  follows  from  a  few  simple  observations.  First  note  that  [fc]q  =  [2 gs  +  2/e  +  fm\q. 
Furthenrore,  since  the  elements  g,  s,  /,  e  were  all  sampled  from  a  .B-bounded  distribution  and  B  <C  q, 
the  magnitude  of  the  coefficients  in  2 gs  +  2/e  +  fm  is  smaller  than  q/2,  so  there  is  no  reduction 
modulo  q:  in  other  words,  [2 gs  +  2/e  +  fm]  =  2 gs  +  2/e  +  fm.  Therefore,  g  =  2 gs  +  2/e  +  fm. 
Taking  modulo  2  yields  the  message  rn  since  by  construction,  /  =  1  (mod  2). 

Multikey  Homomorphism.  We  now  briefly  describe  the  (multikey)  homomorphic  properties  of 
the  scheme  and  the  challenges  encountered  when  converting  it  into  a  fully  homomorphic  encryption 
scheme. 

Let  ci  =  [h\Si  + e\  +  m\]q  and  C2  =  \h2S2  +  e2  +  m2\q  be  ciphertexts  under  two  different 

keys  h\  =  ^^i//1]^  and  I12  =  respectively.  We  claim  that  cadd  =f  [ci  +  c2]9  and 

cmuit  =f  [c  1 C2] q  decrypt  to  m\  +  m2  and  m±m2  respectively,  under  the  joint  secret  key  /1/2. 
Indeed,  notice  that: 

/i/2(ci  +  c2)  =  2  (/i/2ei  +  /i/2e2  +  /2S1S1  +  /iff2-S2)  +  /i/2(ml  +  m2) 

=  2eadd  + /i/2(ml  +  m2) 

for  a  slightly  larger  noise  element  eadd-  Similarly, 

/i/2(cic2)  =  2(251325152  +  5i5i/2(2e2  +  m2)  +  3252/i(2ei  +  lTt\ )  T 
/i/2(eim2  +  e2mi  +  2eie2))  +  /i/2(mijn2) 

=  2emu|t  +  /i/2(mlm2) 


for  slightly  larger  noise  element  emu|t.  This  shows  that  the  ciphertexts  cadd  =f  [ci  +  c2]g  and 

def 

cmuit  =  [cic2] q  can  be  correctly  decrypted  to  the  sum  and  the  product  of  the  underlying  messages, 
respectively,  as  long  as  the  error  does  not  grow  too  large. 

Extending  this  to  circuits,  we  notice  that  the  secret  key  required  to  decrypt  a  ciphertext  c 

that  is  the  output  of  a  homomorphic  evaluation  on  ciphertexts  encrypted  under  N  different  keys, 
N 

is  /fk ,  where  d*  is  the  degree  of  the  ith  variable  in  the  polynomial  function  computed  by  the 

t=i 
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circuit.  Thus,  decrypting  a  ciphertext  that  was  the  product  of  a  homomorphic  evaluation  requires 
knowing  the  circuit!  This  is  unacceptable  even  for  somewhat  homomorphic  encryption. 

We  employ  the  relinearization  technique  of  Brakerski  and  Vaikuntanathan  [BVlla],  to  essen¬ 
tially  reduce  the  degree  from  d{  to  1,  so  that  the  key  needed  to  decrypt  the  evaluated  ciphertext  is 
N 

now  fi .  This  guarantees  that  decryption  is  dependent  on  the  number  of  keys  N  but  indepen- 

i= 1 

dent  of  the  circuit  computed.  After  using  relinearization,  we  can  show  that  the  resulting  scheme  is 
multikey  somewhat  homomorphic  for  ~  ns  keys  and  circuits  of  depth  ~  log  log  q  —  6  log  n  for  any 
<*€(0,1). 


From  (Multikey)  Somewhat  to  Fully  Homomorphic  Encryption.  Once  we  obtain  a  (mul¬ 
tikey)  somewhat  homomorphic  encryption  scheme,  we  can  apply  known  techniques  to  convert  it 
into  a  (multikey)  fully  homomorphic  scheme.  In  particular,  we  follow  the  original  template  of  our 
work  [LTV12]  and  use  modulus  reduction  [BVlla,  BGV12]  to  increase  the  circuit  depth  that  the 
scheme  can  handle  in  homomorphic  evaluation.  This  yields  a  leveled  homomorphic  scheme  for  N 
keys  that  can  evaluate  circuits  of  depth  D  as  long  as  ND  ~  log  q.  For  any  number  of  keys  N  and 
any  depth  D,  we  can  set  q  to  be  large  enough  to  guarantee  the  successful  homomorphic  evaluation 
of  depth- 1?  circuits  on  ciphertexts  encrypted  under  N  different  keys. 

Theorem  1.1  (Informal).  For  all  N  £  N  and  D  £  N,  there  exists  a  leveled  homomorphic  encryption 
scheme  that  can  homomorphically  evaluate  depth-D  circuits  on  ciphertext  encrypted  under  at  most 
N  different  keys.  The  size  of  the  keys  and  ciphertexts  in  the  scheme  grow  polynomially  with  N  and 

D. 


Finally,  using  an  analog  of  Gentry’s  bootstrapping  theorem  [Gen09b,  Gen09a]  for  the  multikey 
setting,  we  can  convert  the  leveled  homomorphic  scheme  into  a  fully  homomorphic  scheme,  in  which 
the  algorithms  are  independent  of  the  circuit  depth  D  (albeit  with  an  additional  circular  security 
assumption).  On  the  other  hand,  we  are  unable  to  remove  the  dependence  on  the  number  of  keys 
N,  and  therefore  obtain  a  scheme  that  is  fully  homomorphic  with  respect  to  the  depth  of  circuits 
it  can  evaluate,  but  “leveled”  with  respect  to  the  number  of  different  keys  it  can  handle. 

We  remark  that  using  the  recent  noise-management  technique  of  Brakerski  [Bral2],  it  is  possible 
to  obtain  a  simpler  leveled  homomorphic  scheme,  based  on  a  weaker  security  assumption.  This  was 
already  noted  in  the  follow-up  work  of  Bos  et  al.  [BLLN13].  In  another  recent  work,  Gentry,  Sahai, 
and  Waters  [GSW13]  show  how  to  remove  the  required  evaluation  key,  yielding  an  even  simpler 
scheme. 


Security.  Stehle  and  Steinfeld  [SSI lb]  showed  that  the  security  of  the  modified  NTRU  encryption 
scheme  can  be  based  on  the  Ring-LWE  assumption  of  Lyubashevsky  et  al. ,  which  can  be  reduced 
to  worst-case  hard  problems  in  ideal  lattices  [LPR10].  To  prove  the  security  of  NTRU,  Stehle  and 
Steinfeld  first  show  that  the  public  key  h  =  [2 is  statistically  close  to  uniform  over  the  ring 
R  if  f  and  g  are  sampled  from  a  discrete  Gaussian  with  standard  deviation  poly(n)  y/q  (which  can 
be  shown  to  be  a  poly(n)  y^-bounded  distribution).  Unfortunately,  if  we  sample  f  and  g  from 
this  distribution  the  error  in  a  single  homomorphic  operation  would  grow  large  enough  to  cause 
decryption  failures.  We  must  therefore  make  the  assumption  that  the  public  key  h  =  [2<//-1]^  is 
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computationally  indistinguishable 4  from  uniform  over  R  when  f  and  g  are  sampled  from  a  discrete 
Gaussian  that  is  H-bounded  for 

Ultimately,  we  arrive  at  the  following  theorem. 

Theorem  1.2  (Informal).  For  all  N  e  N,  there  exists  a  fully  homomorphic  encryption  scheme 
that  can  perform  homomorphic  evaluation  on  ciphertext  encrypted  under  at  most  N  different  keys. 
The  size  of  the  keys  and  ciphertexts  in  the  scheme  grow  polynomially  with  N.  The  security  of  the 
scheme  is  based  on  the  Ring-LWE  assumption,  the  assumption  that  the  public  key  is  pseudorandom, 
and  the  assumption  that  the  scheme  is  weakly  circular  secure. 

In  a  follow-up  work,  Bos  et  al.  [BLLN13]  show  how  to  apply  Brakerski’s  techniques  [Bral2]  to 
maintain  the  fully  homomorphic  properties  of  the  scheme  while  sampling  the  elements  f  and  g 
from  a  discrete  Gaussian  with  standard  deviation  poly (n)y/g,  as  in  the  work  of  Stehle  and  Steinfeld 
[SSI lb].  This  yields  an  NTRU-based  FHE  scheme  that  is  secure  under  the  RLWE  assumption  alone. 
However,  as  far  as  we  know,  this  scheme  is  multikey  for  only  a  constant  number  of  parties,  which 
is  an  inherent  property  of  any  FHE  scheme  (see  Section  3.2.1). 

1.3  On-The-Fly  MPC  from  Multikey  FHE 

Once  we  have  constructed  multikey  FHE  for  any  number  of  keys,  we  can  construct  on-the-fly  MPC. 
The  following  gives  an  informal  outline  of  our  protocol. 

Offline  Phase:  The  clients  sample  independent  key  pairs  (pk?:,  skj,  ek*),  encrypt  their  input  under 
their  corresponding  public  key:  Cj  <—  Enc(pkj,  xf),  and  send  this  ciphertext  to  the  server  along 
with  the  public  and  evaluation  keys  (pki5  ek*). 

Online  Phase:  Once  a  function  has  been  chosen,  together  with  a  corresponding  subset  of  com¬ 
puting  parties  V : 

Step  1  :  The  server  performs  the  multikey  homomorphic  evaluation  of  the  desired  circuit  on 
the  corresponding  ciphertexts,  and  broadcasts  the  evaluated  ciphertext  to  all  computing 
parties  (i.e.  all  parties  in  V). 

Step  2:  The  computing  parties  (i.e.  parties  in  V)  run  a  generic  MPC  protocol  to  decrypt 
the  evaluated  ciphertext  using  their  individual  secret  keys  skj. 

Observe  that  the  computation  of  the  decryption  function  in  Step  2  of  the  online  phase  can  itself 
be  delegated  to  the  server.  In  particular,  if  we  instantiate  the  decryption  protocol  using  the  cloud- 
assisted  MPC  protocol  of  Asharov  et  al.  [AJW11,  AJL+12]  we  obtain  a  round-efficient  solution: 
the  overall  protocol  has  an  online  phase  of  only  5  rounds. 

1.3.1  Protocol  Security 

We  show  that  the  above  protocol  is  secure  against  semi-malicious  adversaries  [AJW11,  AJL+12], 
who  follow  the  protocol  specifications  (like  senri-honest  adversaries)  but  choose  their  random  coins 
from  an  arbitrary  distribution  (like  malicious  adversaries).  We  then  show  how  to  modify  the 
protocol  to  achieve  security  against  malicious  adversaries.  We  make  three  modifications,  described 
below. 

4It  is  not  difficult  to  see  that  with  our  setting  of  parameters,  the  distribution  of  the  public  key  is  not  statistically 
close  to  uniform.  We  must  therefore  rely  on  computational  indistinguishability. 
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Modifying  the  Decryption  Protocol.  The  first  modification  we  make  is  to  change  the  de¬ 
cryption  protocol  in  Step  2  of  the  online  phase  to  first  check  that  the  secret  key  being  used  is  a 
valid  secret  key  for  the  corresponding  public  and  evaluation  keys.  This  ensures  that  if  decryption 
is  successful,  then  in  particular,  a  corrupted  party  knows  a  valid  secret  key  skj.  This  secret  key 
binds  the  corrupted  party  to  the  input  =  Dec  ^sk,;,  ,  which  by  semantic  security  of  the  FHE, 

must  be  independent  of  the  honest  inputs. 

Once  again,  we  note  that  the  computation  of  this  function  can  be  delegated  to  the  server  using 
the  cloud-assisted  protocol  of  Asharov  et  al.  [AJW11,  AJL+12],  yielding  a  5-round  online  phase. 

Adding  Zero-Knowledge  Proofs.  We  further  require  that  in  the  offline  phase,  each  party  create 
a  non-interactive  zero- knowledge  proof  7t?nc  showing  that  the  ciphertext  c*  is  well- formed  (i.e.  that 
there  exists  plaintext  xt  and  randomness  s,  such  that  C{  =  Enc(pkj,  xi  ;  Sj).  This  guarantees  that  for 
a  corrupted  party,  Dec  ^skj,c^  /  T  and  thus  the  party  really  “knows”  an  input  X{.  Furthermore, 
it  guarantees  that  the  ciphertexts  c*  are  fresh  encryptions,  which  is  important  in  our  setting  of 
fully  homomorphic  encryption  where  we  must  ensure  that  the  error  stays  low  in  a  homomorphic 
evaluation. 

While  constructions  of  NIZK  arguments  are  known  for  all  of  NP  [GOS06,  GOS12],  using  these 
constructions  requires  expensive  NP  reductions.  To  avoid  this,  in  Section  4.2.3  we  show  how  to 
construct  an  efficient  NIZK  argument  system,  secure  in  the  random  oracle  model,  for  proving  the 
well-formedness  of  a  ciphertext  in  the  NTRU-based  multikey  FHE  scheme  (the  scheme  we  use  to 
instantiate  the  generic  multikey  FHE  scheme  in  our  on-the-fly  MPC  construction). 

Adding  Verification  of  Computation.  Finally,  we  must  also  rely  on  a  succinct  argument 
system  [Kil92,  Kil95,  Mic94,  GKR08,  GLR11,  BCCT12,  BCCT13]  to  ensure  that  the  server 
performs  the  homomorphic  computation  correctly.  Due  to  the  dynamic  nature  of  our  on-the- 
fly  model,  we  are  unable  to  use  verifiable  computation  protocols  in  the  pre-processing  model 
[GGP10,  CKV10,  AIK10]  or  succinct  arguments  with  a  reference  string  that  depends  on  the  circuit 
being  computed  [GrolO,  Lipl2,  GGPR13,  PHGR13,  Lipl3].  These  would  require  the  clients  to  per¬ 
form  some  pre-computation  dependent  on  the  circuit  to  be  computed  before  knowing  the  circuit,  or 
to  interact  with  the  server  after  a  function  has  been  selected  and  compute  in  time  proportional  to 
the  circuit-size  of  the  function.  Indeed,  the  beauty  of  our  on-the-fly  MPC  model  is  that  the  server 
can  choose  any  function  dynamically,  “on-the-fly”,  and  homomorphically  compute  this  function 
without  interacting  with  the  clients,  who  additionally,  compute  in  time  only  polylogarithmically  in 
the  size  of  any  function  being  computed. 

We  show  how  to  guarantee  verification  of  computation  in  two  different  cases. 

Verification  for  Small  Inputs:  When  the  total  size  of  the  inputs  (and  therefore  the  ciphertexts) 
is  small  enough  to  be  broadcasted  to  all  parties,  it  suffices  for  the  server  to  use  any  of  the 
succinct  arguments  of  [Kil92,  Kil95,  Mic94,  GKR08,  GLR11,  BCCT12,  BCCT13]  to  prove 
that  it  carried  out  the  computation  correctly  as  specified.  Along  with  this  argument,  the 
server  broadcasts  the  ciphertexts  Cj  and  public  and  evaluations  keys  (pkj,sk*)  for  all  parties 
in  V.  With  this  information,  the  computing  parties  can  verify  the  argument  before  engaging 
in  the  decryption  protocol. 

Verification  for  Large  Inputs:  In  the  case  when  the  total  size  of  the  inputs  (and  therefore  the 
ciphertexts)  is  too  large  to  be  broadcasted  to  all  parties,  then  we  additionally  require  the 
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parties  to  sample  a  hash  key  hk*  for  a  collision-resistant  hash  function,  and  compute  a  digest 
di  of  the  ciphertext  ct.  Each  party  then  sends  the  tuple  (pkj,  ekj,  Cj,  7rfNC,  hk;,  df)  to  the  server 
in  the  offline  phase.  It  is  then  sufficient  for  the  server  to  broadcast  the  tuples  (pkj,  ekj,  hk;,  di) 
and  a  succinct  argument  for  the  NP  language: 

“there  exist  ci,7r®NC, . . .  ,cjv,7 such  that  di  =  H^Jct)  and 
c  =  Eva  I  (6’,  (ci,  pk1;  eki), . . . ,  (cat,  pk^y,  ek/v))  and  7rfNC  is  a  valid  proof” . 

If  the  succinct  argument  is  additionally  a  proof  of  knowledge,  as  in  the  case  of  CS  proofs  [Mic94] 
under  Valiant’s  analysis  [Val08],  and  the  SNARKs  of  Bitansky  et  al.  [BCCT12,  BCCT13], 
then  we  are  guaranteed  that  the  server  actually  “knows”  such  ci,  7r®NC, . . . ,  cjv,  7r™c  whenever 
it  successfully  convinces  the  clients. 

Putting  everything  together,  we  arrive  at  the  following  theorem. 

Theorem  1.3  (Informal).  There  exists  an  on-t.he-fly  MPC  protocol  in  the  CRS-model  with  the 
following  properties: 

•  Achieves  security  against  malicious  corruptions  of  an  arbitrary  subset  of  clients  and  possibly 
the  server,  under  the  Ring-LWE  assumption,  the  assumption  that  the  public  key  in  the  (modi¬ 
fied)  NTRU  cryptosystem  [HPS98,  SSllb]  is  pseudorandom  for  a  special  setting  of  parameters, 
and  the  existence  of  zero-knowledge  proofs  and  a  secure  succinct  argument  system. 

•  The  offline  phase  runs  in  one  (asynchronous)  round  of  unidirectional  communication  from 
the  parties  to  the  server.  The  online  phase  runs  in  5  rounds. 

•  The  communication  complexity  of  the  online  phase  and  the  computation  time  of  the  computing 
parties  therein  is  poly  logarithmic  in  the  size  of  the  computation  and  the  total  size  of  the  inputs, 
and  linear  in  the  size  of  their  own  input  and  the  size  of  the  output. 

•  The  computation  time  of  the  server  is  polynomial  in  the  size  of  the  circuit. 

1.4  Related  Work 

We  briefly  survey  related  works  in  the  areas  of  fully  homomorphic  encryption,  MPC  from  homo¬ 
morphic  encryption,  and  MPC  with  the  aid  of  a  “cloud”  server. 

Fully  Homomorphic  Encryption.  The  notion  of  fully  homomorphic  encryption  was  first  pro¬ 
posed  by  Rivest,  Adleman,  and  Dertouzos  [RAD78],  but  was  only  recently  constructed  in  the 
groundbreaking  result  of  Gentry  [Gen09b,  Gen09a].  In  subsequent  years,  many  improvements  and 
new  constructions  have  appeared  in  the  literature  [vDGHVIO,  BVllb,  BVlla,  BGV12,  Bral2, 
BLLN13,  GSW13,  BV14], 

Gentry’s  first  construction  [Gen09b,  Gen09a]  followed  the  following  blueprint:  first,  he  con¬ 
structed  a  somewhat  homomorphic  encryption  scheme  working  over  ideal  lattices,  that  was  able 
to  perform  a  limited  number  of  evaluations.  He  then  proved  a  bootstrapping  theorem,  showing 
that  if  a  somewhat  homomorphic  scheme  can  homomorphically  evaluate  its  own  decryption  circuit, 
then  it  can  be  converted  into  a  fully  homomorphic  scheme.  Unfortunately,  Gentry’s  somewhat 
homomorphic  scheme  cannot  evaluate  its  own  decryption  circuit  and  is  therefore  not  bootstrap- 
pable.  Nevertheless,  he  was  able  to  construct  a  boostrappable  scheme  by  squashing  the  decryption 
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circuit  sufficiently  for  the  scheme  to  be  able  to  homorphically  evaluate  it.  Using  this  squashing 
technique  required  making  an  additional  security  assumption,  namely,  the  sparse  subset  sum  (SSS) 
assumption. 

van  Dijk  et  al.  [vDGHVIO]  subsequently  showed  how  to  construct  FHE  over  the  integers,  and 
Brakerski  and  Vaikuntanathan  [BVllb]  showed  how  to  construct  FHE  from  the  Ring-LWE  as¬ 
sumption  of  Lyubashevsky,  Regev,  and  Peikert  [LPR10].  Both  of  these  works  use  squashing  and 
bootstrapping,  as  in  Gentry’s  original  blueprint. 

Gentry  and  Halevi  [GHlla]  showed  how  to  use  depth-3  arithmetic  circuits  and  a  hybrid  of 
somewhat  homomorphic  encryption  and  multiplicatively  homomorphic  encryption  (e.g.  ElGamal 
encryption  [Gam84])  to  construct  FHE  without  the  use  of  squashing,  and  therefore  without  assum¬ 
ing  the  hardness  of  the  SSS  problem.  In  a  separate  work,  Brakerski  and  Vaikuntanathan  showed 
how  to  construct  FHE  from  Regev’s  (standard)  LWE  assumption  [Reg05,  Reg09].  In  this  work, 
they  introduced  the  techniques  of  relinearization  and  modulus  reduction ,  which  allowed  them  to 
forgo  squashing  as  well.  Gentry,  Brakerski,  and  Vaikuntanathan  [BGV12]  later  showed  a  refinement 
of  these  techniques  into  so-called  key-switching  and  modulus  switching,  and  showed  how  to  build 
“leveled”  homomorphic  schemes  that  can  evaluate  circuits  of  any  a-priori  known  depth  without  the 
use  of  squashing  or  bootstrapping.  Formally,  they  show  that  for  every  De  N,  there  exists  a  homo¬ 
morphic  scheme  8^  that  is  able  to  homomorphically  evaluate  circuits  of  depth  D.  Their  technique 
involves  switching  to  a  smaller  modulus  after  every  level  in  a  homomorphic  computation,  therefore 
requiring  a  fairly  large  modulus  at  the  start  of  the  computation.  This  required  basing  security  of 
their  scheme  on  the  hardness  of  solving  approximate-SVP  to  within  sub-exponential  factors.  Coron 
et  al.  [CNT12]  show  how  to  apply  the  modulus  reduction  technique  over  the  integers. 

In  work  subsequent  to  ours,  Brakerski  [Bral2]  showed  a  new  noise-management  technique  that 
forwent  the  modulus  switching  step,  allowing  the  use  of  a  single  modulus  that  is  much  smaller  than 
the  one  needed  in  the  BGV  scheme.  Security  of  Brakerski’s  scheme  can  be  based  on  the  hardness 
of  solving  approximate-SVP  to  within  quasi-polynomial  factors,  a  much  weaker  assumption.  Bos 
et  al.  [BLLN13]  show  how  to  apply  Brakerki’s  noise- management  technique  to  the  (multikey)  FHE 
described  in  this  dissertation  [LTV12],  based  on  the  NTRU  encryption  scheme  of  Hofftein,  Pipher, 
and  Silverman  [HPS98],  with  the  modifications  of  Stehle  and  Steinfeld  [SSllb].  They  further  show 
that  using  these  techniques,  one  can  base  security  of  the  resulting  FHE  scheme  on  the  Ring-LWE 
assumption  alone,  by  using  Stehle  and  Steinfeld’s  original  analysis.  Their  construction,  however,  is 
multikey  for  only  a  constant  number  of  keys,  which  we  show  is  an  inherent  property  of  any  FHE 
scheme.  Coron  et  al.  [CLT14]  show  how  to  apply  Brakerski’s  techniques  over  the  integers. 

Finally,  Gentry  et  al.  [GSW13]  show  how  to  construct  a  leveled  homomorphic  scheme  that  does 
not  require  the  use  an  evaluation  key  to  perform  homomorphic  computation,  as  do  all  previous 
schemes.  Brakerski  and  Vaikuntanathan  [BV14]  show  how  to  leverage  the  techniques  of  Gentry 
et  al.  [GSW13]  to  build  a  leveled  homomorphic  scheme  that  is  as  secure  as  standard  (non-FHE) 
LWE-based  public-key  encryption. 

Many  other  works  study  the  efficiency  of  the  schemes  described  above  and  present  several 
optimizations  [SV10,  SSlla,  GHllb,  CMNT11,  GHPS12,  GHS12a,  GHS12b,  GHS12c,  CCK+13, 
SV14], 


MPC  from  Homomorphic  Encryption.  The  basic  idea  of  using  threshold  homomorphic  en¬ 
cryption  (e.g.  Paillier  encryption  [Pai99] )  to  boost  the  efficiency  of  MPC  protocols  was  first  pre¬ 
sented  by  Cramer,  Damgard,  and  Nielsen  [CDN01],  predating  the  existence  of  fully  homomorphic 
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encryption  (first  showed  by  Gentry  in  2009  [Gen09b,  Gen09a]).  They  show  that  if  the  parties  have 
access  to  a  public  key  for  an  additively  homomorphic  encryption  scheme,  and  if  they  also  have  a 
corresponding  secret  key  secret-shared  among  them,  then  they  can  evaluate  any  Boolean  circuit 
“under  the  covers”  of  the  encryption.  Using  the  homomorphic  properties  of  the  scheme,  the  parties 
can  locally  evaluate  all  addition  gates.  Cramer  et  al.  additionally  show  a  short,  interactive  subpro¬ 
tocol  for  evaluating  multiplication  gates.  After  showing  the  first  construction  of  fully  homomorphic 
encryption,  Gentry  used  the  same  template  to  show  a  generic  MPC  construction  from  any  FHE 
[Gen09a] . 

In  a  work  concurrent  to  ours,  Myers,  Sergi,  and  Shelat  [MSS  13]  show  a  black-box  construction 
of  MPC  from  any  threshold  FHE  scheme.  Their  main  hurdle  is  devising  a  way  for  parties  to  prove 
plaintext  knowledge  of  a  ciphertext.  To  this  end,  they  present  a  2-round  protocol  for  proving 
plaintext  knowledge,  which  they  construct  from  any  circuit-private  FHE  scheme.  Their  protocol 
is  not  zero-knowledge  [G094],  but  it  conserves  the  semantic  security  of  the  ciphertext  in  question. 
They  also  show  how  to  construct  threshold  FHE  using  the  scheme  of  van  Dijk  et  al.  [vDGHVIO] 
over  the  integers.  While  the  communication  of  their  protocol  is  independent  of  the  circuit-size  of  the 
function  being  computed,  their  protocol  is  not  computation-efficient:  parties  compute  proportional 
to  the  complexity  of  the  function. 

Other  works  by  Damgard  et  al.  [BDOZ11,  DPSZ12,  DKL+13]  build  MPC  from  “semi- 
homomorphic”  and  somewhat  homomorphic  encryption.  Their  protocols  require  all  parties  to 
compute  proportional  to  the  complexity  of  the  function  at  hand,  and  require  interaction  between 
parties  at  every  gate.  However,  they  display  very  good  concrete  efficiency.  A  work  of  Choudhury 
et  al.  [CLO+13]  shows  how  to  trade  computation  efficiency  for  communication  efficiency.  Their 
protocol  is  parametrized  by  an  integer  L.  Setting  L  =  2  yields  a  classic  MPC  protocol,  in  which 
interaction  is  required  for  computing  every  gate.  As  L  increases,  interaction  is  required  less  fre¬ 
quently,  and  only  to  “refresh”  the  computation  after  an  increasing  number  of  steps.  Thus,  at  their 
heart  of  their  construction  lies  an  interactive  “bootstrapping”  protocol  that  refreshes  ciphertexts 
during  the  evaluation. 

Finally,  a  recent  work  by  Garg  et  al.  [GGHR14]  shows  how  to  achieve  2- round  MPC  in  the  CRS 
model  from  indistinguishability  obfuscation  ( iO )  [BGI+12].  As  an  optimization,  they  use  multikey 
FHE  (as  defined  in  this  work)  to  construct  2-round  MPC  with  communication  complexity  that  is 
independent  of  the  circuit  being  computed.  Though  an  efficient  construction  of  iO  is  known  for  all 
circuits  [GGH+13b],  its  security  is  based  on  assumptions  on  multilinear  maps  [GGH13a]  that  are 
not  very  well  understood  yet. 


MPC  on  the  Cloud.  The  idea  of  using  a  powerful  cloud  server  to  alleviate  the  computational 
efforts  of  parties  in  an  MPC  protocol  was  recently  explored  in  the  work  on  “server-aided  MPC”  by 
Karnara,  Mohassel,  and  Raykova  [KMR11],  Their  protocols,  however,  require  some  of  the  parties 
to  do  a  large  amount  of  work,  essentially  proportional  to  the  size  of  the  computation. 

Halevi,  Lindell,  and  Pinkas  [HLP11]  recently  considered  the  model  of  “secure  computation  on 
the  web”  wherein  the  goal  is  to  minimize  interaction  between  the  parties.  While  their  definition 
requires  absolutely  no  interaction  among  the  participants  of  the  protocol  (they  only  interact  with 
the  server),  they  show  that  this  notion  can  only  be  achieved  for  a  small  class  of  functions.  Our 
goal,  on  the  other  hand,  is  to  construct  MPC  protocols  for  arbitrary  functions. 
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1.5  Roadmap 


We  have  given  a  high-level  overview  of  our  results.  Detailed  descriptions  of  all  the  results  highlighted 
in  this  introduction  can  be  found  in  the  corresponding  sections. 

In  Section  2  we  present  preliminaries,  definitions  and  technical  tools  used  throughout  the  re¬ 
maining  chapters. 

In  Section  3,  we  define  multikey  FHE  and  describe  several  constructions.  In  particular,  we  show 
that  any  FHE  is  inherently  multikey  for  a  constant  number  of  keys,  and  that  the  ring-based  FHE 
scheme  of  Brakerski  and  Vaikuntanathan  is  somewhat  homomorphic  for  a  logarithmic  number  of 
keys.  More  importantly,  we  show  that  the  NTRU  encryption  scheme  can  be  made  multikey  fully 
homomorphic  for  any  number  of  keys. 

In  Section  4  we  show  how  to  construct  on-the-fly  MPC  from  multikey  FHE.  We  show  a  basic 
protocol  that  is  secure  against  semi-malicious  corruptions,  and  then  describe  how  to  modify  it 
to  achieve  security  against  malicious  adversaries.  We  also  show  how  to  construct  efficient  NIZKs 
(in  the  random  oracle  model)  for  proving  plaintext  knowledge  for  the  NTRU-based  FHE  scheme 
described  in  Section  3.  Finally,  we  show  that  a  completely  non- interactive  solution  is  impossible. 


2  Definitions  and  Preliminaries 

2.1  Notation 

In  this  work,  we  use  the  following  notation.  We  use  k  to  denote  the  security  parameter.  For  an 

def 

integer  n,  we  use  the  notation  [n]  to  denote  the  set  [n]  =  {1, . . . ,  n}.  For  a  randomized  function 

/,  we  write  f(x\  r)  to  denote  the  unique  output  of  /  on  input  x  with  random  coins  r.  We  write 
f(x)  to  denote  a  random  variable  for  the  output  of  f{x\  r )  over  uniformly  random  coins  r.  For  a 
distribution  or  random  variable  X,  we  write  x  <—  X  to  denote  the  operation  of  sampling  a  random 
x  according  to  X.  For  a  set  S,  we  overload  notation  and  use  s  <—  S  to  denote  sampling  s  from 
the  uniform  distribution  over  S.  We  use  y  :=  f(x)  to  denote  the  deterministic  evaluation  of  /  on 

Q 

input  x  with  output  y.  For  two  distributions,  X  and  Y ,  we  use  X  ~  Y  to  mean  that  X  and  Y  are 
computationally  indistinguishable,  and  X  ~  Y  to  mean  that  they  are  statistically  close. 

2.2  E-Protocols  and  Zero-Knowledge  Proofs 

E-Protocols.  We  recall  the  notion  of  gap  E-protocols  [AJW11],  a  weaker  version  of  E-protocols 
[CDS94],  where  honest-verifier  zero-knowledge  holds  for  all  statements  in  some  NP  relation  Rz k 
but  soundness  only  holds  w.r.t.  RSound  2  Pzk.  In  other  words,  zero- knowledge  is  guaranteed  for 
an  honest  prover  holding  a  statement  in  Rz k,  but  an  honest  verifier  is  only  convinced  that  the 
statement  is  in  a  larger  set  PSOund  2  Pzk. 

Definition  2.1  (Gap  E-Protocol).  Let  Pzk  and  Rs ound  be  two  NP  relations  such  that  Pzk  C  Psounc|  C 
{0, 1}*  x  {0, 1}*,  and  let  Lzk  and  Lsounc j  be  their  corresponding  NP  languages.  A  gap  E-protocol 
for  (Pzk,  -Rsound)  is  a  3-step  interactive  protocol  (P,  V)  between  a  prover  P  =  (Pi,  P2)  and  a  verifier 
V  =  (Hi,  Vfi),  with  the  following  syntax: 

•  ( a,st )  <—  Pi(x,w):  Given  a  statement  and  witness  pair  (x,w),  outputs  a  message  a  and  a 
state  string  -st. 
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•  c  <—  V]  (x,  a) :  Given  a  statement  x  and  message  a,  outputs  a  random  challenge  c  from  a 
challenge  space  C. 

•  z  <—  P-2(st,c):  Given  a  state  string  st  and  a  challenge  c,  outputs  an  answer  z. 

•  b  <—  V2  (x,  a,  c,  z):  Given  a  statement  x,  a  message  a,  a  challenge  c,  and  an  answer  z,  outputs 
a  bit  b,  i.e.  either  accepts  or  rejects  the  transcript  ( a,c,z )  for  statement  x. 


We  require  that  the  following  three  properties  hold: 


Completeness:  For  any  (x,  w)  G  Rz k, 


(a,  st)  <—  Pi(x,  w) 

V2  (x,a,c,z)  =  1 

c  V\{x,  a) 

z<r-P2(st,c) 

Special  Soundness:  There  exists  an  ’’extractor”  such  that  for  any  two  accepting  transcripts  (a,  c,  z) 
and  ( a,c',z ')  for  the  same  statement  x  with  c  /  c' ,  the  extractor  outputs  a  valid  witness  for 
x  G  -Rsound-  Formally,  there  exists  a  PPT  algorithm  Ext  such  that  for  all  x  and  all  ( a,c,z )  and 
(a,  d ,  z’)  such  that  d  and  V2(x,  a,  c,  z)  =  V2(x,  a,  d,  z')  =  1: 

Pr  [  (x,  w)  0  i?sound  I  W  <—  Ext(x,a,  c,  z,c',z')  ]  =1 


Honest- Verifier  Zero  Knowledge  (HVZK):  There  exists  a  PPT  simulator  Sim  that  “simu¬ 
lates”  valid  transcripts  without  knowing  a  witness,  if  it  sees  the  challenge  beforehand.  For¬ 
mally,  there  exists  PPT  algorithm  Sim  such  that  for  all  (x,w)  G  Rz k  and  all  c  G  C,  we  have: 


{a,  c,  z) 


(a,  st)  <—  P\(x,  w) 

Z  <—  P2(st,  C) 


( a,c,z' )  |  (a,  z')  <—  Sim(x,  c) 


For  an  NP  relation  R  with  corresponding  language  L,  a  well-known  construction  using  £- 
protocols  allows  a  prover  to  show  that  either  xq  G  L  or  x\  G  L  without  revealing  which  one  holds. 
Suppose  (P,  V)  is  a  £-protocol  for  R;  we  construct  a  new  protocol  for  proving  that  either  xo  G  L 
or  x\  G  L.  Let  b  be  such  that  (xb,  Wb)  G  R  for  some  witness  Wb  known  to  the  prover.  The 
prover  chooses  c\-b  at  random  from  the  challenge  space  C  and  runs  ( ab,st )  <—  Pi(xb,Wb)  and 
(ai_b,  zi-b)  Sim(x,  ci_b).  It  sends  (ao,ai)  to  the  verifier,  who  returns  a  challenge  c.  The  prover 
computes  Q,  =  c  —  ci_&,  runs  Zb  P2(st,  c)  and  sends  (co,  ci,  zo,  zi)  to  the  verifier,  who  checks  that 
p2(xo,  ao,  Co,  zq)  =  V2(xi,  ai,  ci,  21)  =  1  and  c  =  Co  +  ci.  The  resulting  protocol  is  called  an  OR 
T, -protocol.  The  theorem  below  modifies  this  to  the  setting  of  gap  £-protocols. 

Theorem  2.1.  Let  Rzy  and  Rs ound  be  two  NP  relations  such  that  Rzy  C  Rsouric \  C  {0, 1}*  x  {0, 1}*, 
and  let  (P,V)  be  a  gap  £  -protocol  for  (Rzk,  Rsound)  ■  The  construction  described  above  is  a  gap  OR 
T, -protocol  for  (Rzk,  Rsou nd). 
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Non-Inter  active  Zero-Knowledge  (NIZK).  We  also  recall  the  notion  of  non- interactive  zero- 
knowledge  (NIZK)  [BFM88].  For  our  purposes,  it  is  more  convenient  to  use  the  notion  of  (same¬ 
string)  NIZK  arguments  from  [SCO+01].  This  definition  and  all  our  constructions  that  use  it  can  be 
extended  in  the  natural  way  to  NIZK  proofs,  where  soundness  holds  for  all  unbounded  adversaries5. 

Definition  2.2  (NIZK).  Let  R  be  an  NP  relation  on  pairs  (x,  w)  with  corresponding  language 
L  =  {x  |  3  w  s.t.  (x,w)  £  I?}.  A  non-interactive  zero- knowledge  (NIZK)  argument  system  for  R 
consists  of  three  algorithms  (Setup,  Prove,  Verify)  with  syntax: 

•  (crs,  tk)  Setup(lK):  Outputs  a  common  reference  string  (CRS)  crs  and  a  trapdoor  key  tk  to 
the  CRS. 

•  7 r  <—  Provecrs(a;,  w):  Outputs  an  argument  n  showing  that  R(x,w)  =  1. 

•  0/1  <—  Verifycrs(x,  7r):  Verifies  whether  or  not  the  argument  7r  is  correct. 

For  the  sake  of  clarity,  we  write  Prove  and  Verify  without  the  crs  in  the  subscript  when  the  crs  can 
be  inferred  from  context.  We  require  that  the  following  three  properties  hold: 

Completeness:  For  any  (x,  w)  £  R, 


Pr 


Verify(x,  7r)  =  1 


(crs,  tk)  <—  Setup(lK) 
7 r  <—  Prove(x,  w) 


Soundness:  For  any  ppt  adversary  P, 


Pr 


Verify  (.t*,  7T*)  =  1 
x*  0  L 


(crs,  tk)  <—  Setup(lK) 

(x*,  7r*)  <—  P(crs) 


negl(rc). 


Unbounded  Zero-Knowledge:  There  exists  a  ppt  simulator  Sim  that  “simulates”  valid  proofs 
without  knowing  a  witness,  but  with  the  aid  of  the  trapdoor  key.  We  start  by  defining  two 
oracles. 

The  Prover  Oracle:  A  query  to  the  prover  oracle  V(-)  consists  of  a  pair  (x,w).  The  oracle 
checks  if  (x,w)  £  R.  If  so,  it  outputs  a  valid  argument  Prove(rc,  w);  otherwise  it  outputs 
_L. 

The  Simulation  Oracle:  A  query  to  the  simulation  oracle  SIMt k(-)  consists  of  a  pair  (x,w). 
The  oracle  checks  if  (x,  w )  £  R.  If  so,  it  ignores  w  and  outputs  a  simulated  argument 
Sim(tk,x);  otherwise  it  outputs  _L. 

Formally,  we  require  that  for  any  PPT  adversary  A,  the  advantage  of  A  in  the  following  game 
is  negligible  (in  n): 

•  The  challenger  samples  (crs,  tk)  4—  Setup(lK)  and  gives  crs  to  A.  The  challenger  also 
samples  a  bit  b  <—  {0, 1}. 

5  Apart  from  modifying  the  soundness  condition,  in  the  setting  of  proofs  key  generation  samples  a  CRS  but  not  a 
trapdoor,  and  the  zero- knowledge  simulator  first  samples  a  simulated  CRS  that  is  computationally  indistinguishable 
from  the  real  CRS,  and  a  trapdoor  to  this  CRS. 
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•  If  b  =  0,  the  adversary  A  is  given  access  to  the  prover  oracle  V(-).  If  b  =  1,  A  is  given 
access  to  the  simulation  oracle  STM tk(-)-  In  either  case,  the  adversary  can  adaptively 
access  its  oracle.. 

•  The  adversary  A  outputs  a  bit  b. 


The  advtange  of  A  is  defined  to  be 


Pr[6  =  b] 


1 

2 


Fiat  and  Shamir  [FS86]  showed  how  to  convert  a  £  protocol  (P,  V)  for  an  NP  relation  R  into 
a  NIZK  argument  for  R  secure  in  the  random  oracle  model  [BR93].  Informally,  the  CRS  contains 
a  description  of  a  hash  function  H,  which  is  modeled  as  a  random  oracle.  To  compute  a  non¬ 
interactive  argument,  the  prover  runs  ( a,st )  <—  P\  (x,  w)  and  obtains  the  verifier’s  challenge  by 
applying  the  hash  function  to  a  and  x:  c  :=  H(a,  x ).  It  then  computes  z  P%(st ,  c)  and  sends  the 
argument  it  =  ( a,c,z ).  The  verifier  runs  V2 (x,a,c,z)  to  verify  the  argument.  The  theorem  below 
modifies  this  to  the  setting  of  gap  S-protocols. 


Theorem  2.2  ( [FS86] ) .  Let  Rz |<  and  RSOUnd  be  two  NP  relations  such  that  Rz |<  C  i?souncj  C  {0, 1}*  x 
{0,1}*,  and  let  (P,V)  be  a  gap  T, -protocol  for  (i?zk>  -Rsound)-  Applying  the  Fiat-Shamir  transform 
to  (P,  V)  yields  a  non-interactive  zero-knowledge  (NIZK)  argument  system  where  soundness  holds 
w.r.t.  -Rsound  and  completeness  and  zero-knowledge  hold  w.r.t.  Rz k,  secure  in  the  random  oracle 
model. 


Though  secure  in  the  random  oracle  model,  we  remark  that  in  some  cases  standard-model 
security  of  the  resulting  NIZK  appears  to  be  harder  to  achieve  [DJKL12,  BDG+13].  In  particular, 
if  the  language  L  is  quasi-polynomially  hard  and  the  protocol  has  messages  of  size  polylog(ft)  and 
is  ft;logK-HVZK,  then  the  resulting  NIZK  cannot  be  proven  sound  via  a  black-box  reduction  to  a 
(super-polynomially  hard)  falsifiable  assumption  [Nao03]. 


2.3  Succinct  Non-Interactive  Arguments:  SNARGs  and  SNARKs 

We  review  the  definitions  of  succinct  non-interactive  arguments  (SNARGs)  and  succinct  non¬ 
interactive  arguments  of  knowledge  (SNARKs);  we  use  the  formalization  of  Gentry  and  Wichs 
[GW11],  and  Bitansky  et  al.  [BCCT12].  As  in  the  work  of  Bitansky  et  al.,  we  allow  the  proof  size 
to  be  polynomial  in  the  size  of  the  statement,  but  require  it  to  be  poly  logarithmic  in  the  size  of  the 
witness.  We  also  require  fast  proof  verification. 

Definition  2.3  (SNARG).  Let  R  be  an  NP  relation  on  pairs  (x,  w)  with  corresponding  language 
L  =  {x  |  3  w  s.t.  (x,  w)  £  R}.  A  succinct  non-interactive  argument  (SNARG)  system  for  L 
consists  of  three  algorithms  (Setup,  Prove,  Verify)  with  syntax: 

•  (vrs,  priv)  <—  Setup(lK):  Outputs  a  verification  reference  string  vrs  and  a  private  verification 
state  priv. 

•  ip  <—  Prove(vrs,  x,  w):  Outputs  an  argument  ip  showing  that  R(x,w)  =  1. 

•  0/1  <—  Verify  (priv,  x,  ip):  Verifies  whether  or  not  the  argument  p>  is  correct. 

We  require  that  the  following  properties  hold: 
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Completeness:  For  any  (x,  w)  G  R, 


Pr 


Verify(priv,  x,  p)  =  1 


(vrs,  priv)  4—  Setup(lK) 
p  4—  Prove(vrs,  x,  w) 


In  addition,  Prove(vrs,  x,  w)  runs  in  time  poly(K,  \x\ ,  \w\). 


Adaptive  Soundness:  For  any  PPT  adversary  P, 


Pr 


Verify(priv,  x*,  tp*)  =  1  A 
x*  0  L 


(vrs,  priv)  4—  Setup(lK) 

(x*,  p*)  4—  P(y  rs) 


=  1 


=  negl(«). 


Succinctness:  The  length  of  the  proof  and  the  time  required  for  its  verification  are  poly  logarithmic 
in  the  size  of  the  witness,  i.e.  poly(rt)  (poly(|a:|)  +  polylog( |iw| )) . 

Definition  2.4  (SNARK).  A  SNARG  $  =  (Setup,  Prove,  Verify)  is  additionally  a  proof  of  knowl¬ 
edge,  or  a  succinct  non-interactive  argument  of  knowledge  (SNARK)  if  it  satisfies  the  following 
stronger  definition  of  soundness: 


Adaptive  Extractability:  There  exists  an  extractor  Ext  that  “extracts”  a  valid  witness  from  any 
valid  proof  p.  Formally,  for  any  PPT  adversary  P,  there  exists  a  ppt  algorithm  Ext  such  that: 


Pr 


Verify(priv,  x*,  p*)  =  1  A 
R(x*,w')  =  0 


(vrs,  priv)  4—  Setup(lK) 

(x*,p*)  4—  P(vrs) 
w’  4—  Ext(x*,  p*) 


negl(ft) 


Public  vs.  Private  Verifiability.  In  the  case  where  priv  =  vrs,  we  say  that  the  SNARG  or 
SNARK  is  publicly  verifiable.  In  this  case,  anyone  can  verify  all  proofs.  Otherwise,  we  say  that  it  is 
a  designat.ed-verifier  SNARG/SNARK,  in  which  case  soundness/extractability  is  only  guaranteed 
as  long  as  priv  remains  secret  to  the  prover.  In  this  case,  only  the  party  holding  priv  can  verify  the 
proof. 


2.3.1  Delegation  of  Computation  from  SNARGs 

In  delegation  of  computation  we  are  concerned  with  at  a  client  C,  who  wishes  to  delegate  the 
computation  of  a  pre-specified  polynomial-time  algorithm  M  on  an  input  x,  to  a  worker  W.  The 
client  additionally  wishes  to  verify  the  correctness  of  the  output  y  returned  by  W  (i.e.  verify  that 
y  =  M(x))  in  time  that  is  significantly  smaller  than  the  time  required  to  compute  M(x)  from 
scratch. 

SNARGs  can  be  used  in  this  setting  as  follows:  Define  the  NP  language:  Lm  =  {  (x,  y)  such  that 
M(x)  =  y  }.  A  straight-forward  witness  to  the  statement  (x,  y)  G  Lm  consists  of  the  steps  taken  by 
M  in  a  computation  of  M(x)  resulting  in  the  output  y.  The  size  of  this  witness  is  proportional  to 
the  size  of  the  computation.  Using  a  SNARG  guarantees  that  the  size  of  the  proof  is  polylogaritmic 
in  the  size  of  the  witness,  and  therefore  polylogarithmic  in  the  size  of  the  computation. 


2.3.2  Constructions 

Gentry  and  Wichs  [GW11]  proved  that  standard- model  security  of  SNARGs  with  adaptive  sound¬ 
ness  and  proof  size  sublinear  in  the  witness  and  statement  sizes,  cannot  be  based  on  any  falsifiable 
assumption  [Nao03].  The  constructions  we  show  below  either  assume  a  random  oracle  [BR93]  or 
most  often  use  a  non-falsifiable  assumption. 
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CS  Proofs.  Kilian  [Kil92,  Kil95]  showed  how  to  perform  succinct  interactive  verification  for 
any  NP  language.  His  solution  describes  a  4-round  protocol,  where  the  prover  first  constructs 
a  PCP  for  the  correctness  of  the  computation  and  then  uses  Merkle  hashes  to  compress  it  to  a 
sufficiently  small  proof.  Micali’s  CS  proofs  [Mic94]  apply  the  Fiat-Shamir  transform  [FS86]  to 
Kilian ’s  protocol,  obtaining  a  non-interactive  solution.  CS  proofs  are  publicly  verifiable  SNARGs 
(and  SNARKs  under  Valiant’s  analysis  [Val08]);  indeed,  the  only  “setup”  required  is  a  description 
of  a  hash  function  H  to  use  as  the  random  oracle.  This  can  be  ensured  by  letting  the  vrs  be  a 
random  key  for  a  (say)  collision-resistant  hash  function. 

Due  to  its  use  of  the  Fiat-Shamir  transform,  Micali’s  solution  is  only  secure  in  the  random 
oracle  model  [BR93].  Unfortunately,  several  results  have  shown  the  implausibility  of  instantiating 
the  random  oracle  in  the  Fiat-Shamir  transform  with  any  explicit  hash  function  [HT98,  BarOl, 
CGH04,  DNRS03,  GK03].  In  particular,  Dachnran-Soled  et  at.  [DJKL12,  BDG+13]  show  that 
the  security  of  CS  proofs  (even  with  non-adaptive  soundness)  cannot  be  based  on  any  falsifiable 
assumption.  On  the  other  hand,  it  has  been  shown  that  the  security  of  the  Fiat-Shamir  paradigm 
can  be  based  on  specific  non-falsifiable  assumptions  regarding  the  existence  of  robust  randomness 
condensers  for  seed-dependent  sources  [BLV06,  DRV12], 

Constructions  will  Small  VRS.  Bitansky  et  al.  [BCCT12,  BCCT13]  and  Goldwasser  et  al. 
[GLR11]  revisit  the  construction  of  CS  proofs  and,  based  on  the  works  of  Di  Crescenzo  and  Liprnaa 
[CL08]  and  Valiant  [Val08],  show  how  to  construct  SNARGs  and  SNARKs  based  on  a  different 
non-falsifiable  assumption  relating  to  the  existence  of  extractable  collision-resistant  hash  functions. 
In  these  works,  the  verifier’s  entire  computation  (both  in  computing  its  reference  string  vrs  and  in 
verifying  the  proof)  depends  only  polylogarithmically  in  the  size  of  the  witness  (i.e.  the  delegated 
computation).  The  SNARGs  and  SNARKs  in  these  works  are  designated- verifier. 

Allowing  a  Large  VRS.  Another  series  of  works  [GrolO,  Lipl2,  GGPR13,  PHGR13,  Lipl3] 
constructs  SNARGs  and  SNARKs  where  the  verifier’s  reference  string  vrs  is  allowed  to  depend  on 
the  circuit  being  delegated.  In  particular,  Groth’s  construction  [GrolO]  has  a  VRS  of  size  quadratic 
in  the  circuit  size.  Liprnaa  [Lipl2]  reduces  this  size  to  be  quasi-linear,  and  the  works  of  Gennaro 
et  al.  [GGPR13]  and  Parno  et  al.  [PHGR13]  further  reduce  it  to  linear  in  the  circuit  size.  Liprnaa 
[Lipl3]  refines  the  construction  of  Gennaro  et  al.  to  reduce  the  magnitude  of  the  constant  in  the 
size  of  the  VRS.  All  of  these  constructions  are  based  on  certain  number-theoretic  non-falsifiable 
assumptions. 

2.4  Secure  Multiparty  Computation  (MPC) 

Let  /  be  an  V-input  function  with  single  output.  A  multiparty  protocol  n  for  /  is  a  protocol  between 
N  interactive  Turing  Machines  Pi, . . .  ,Pn,  called  parties ,  such  that  for  all  x  =  (aq, . . .  ,xjv),  the 

output  of  n  in  an  execution  where  Pi  is  given  Xi  as  input,  is  y  =f  f(x). 

2.4.1  Security  in  the  Ideal/Real  Paradigm 

Informally,  a  multiparty  protocol  n  is  secure  if  after  running  n,  no  colluding  set  of  corrupt  parties 
can  learn  anything  about  an  honest  player’s  input  or  change  the  output  of  an  honest  party.  We 
formalize  this  in  the  Ideal/Real  paradigm  (see  e.g.  [Gol04]). 
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Ideal  and  Real  Worlds.  We  define  an  ideal  world  in  which  the  computation  of  /  is  per¬ 
formed  through  a  trusted  functionality  J-  that  receives  inputs  Xj  from  each  party  Pi,  computes 
y  =f  f(x i, . . .  ,xn)  and  gives  y  to  all  parties  Pi, . . . ,  Pjy.  It  is  clear  that  in  the  ideal  world,  the 
only  information  that  any  party  learns  is  its  own  input  and  the  output  y.  We  also  define  a  real 
world  in  which  parties  Pi, ,  P/v  run  the  protocol  II. 

The  Network.  We  assume  that  the  real-world  execution  of  the  protocol  is  performed  over  a  secure 
and  synchronous  network;  that  is,  we  assume  that  parties  can  reliably  send  messages  to  other  parties 
without  these  being  read  or  altered  in  transmission,  and  that  all  point-to-point  communications 
happen  at  the  same  time.  We  also  assume  that  a  secure  broadcast  channel  is  available  to  all  parties. 

The  Adversary.  In  either  world,  we  consider  a  single  adversary  that  is  allowed  to  corrupt  any 
subset  of  t  <  N  parties.  An  adversary  is  modeled  as  an  interactive  Turing  Machine  that  receives  all 
messages  directed  to  the  corrupted  parties  and  controls  the  messages  sent  by  them.  In  this  work, 
we  consider  only  static  adversaries,  that  is,  adversaries  that  select  the  subset  of  corrupted  parties 
non-adaptively,  before  any  computation  is  performed.  On  the  other  hand,  we  assume  that  in  each 
round  of  the  protocol,  the  adversary  chooses  the  messages  for  the  corrupted  parties  adaptively, 
based  on  the  entire  transcript  of  the  protocol,  up  to  that  round. 

We  remark  that  our  results  can  be  extended  to  achieve  security  against  rushing  real-world 
adversaries  who,  on  any  given  round,  choose  the  messages  for  the  corrupted  parties  adaptively, 
based  on  the  entire  transcript  of  the  protocol  and  the  messages  of  the  honest  parties  on  that  round. 
Note  that  rushing  adversaries  correspond  to  a  semi-synchronous  model  of  communication. 

Output  Distributions.  We  use  IDEAL  (x)  to  denote  the  joint  output  of  an  ideal- world 
adversary  S  and  parties  Pi, ,  P/v  in  an  ideal  execution  with  functionality  T  and  inputs  x  = 
(xi, . . . ,  xa r).  Similarly,  we  use  REALn,^(x)  to  denote  the  joint  output  of  a  real-world  adversary 
A  and  parties  Pi, ... ,  Pjv  in  an  execution  of  protocol  II  with  inputs  x  =  (xi, . . . ,  xjy). 

We  say  that  a  protocol  II  securely  realizes  P  against  the  class  of  adversaries  Adv,  if  for  every 
real-world  adversary  A  £  Adv,  there  exists  an  ideal-world  adversary  S  with  black-box  access  to  A 
such  that  for  all  input  vectors  x, 

IDEAL^s (x)  k.  REALn,^(x) 


2.4.2  Types  of  Adversaries 

As  stated  above,  in  this  work  we  only  consider  classes  of  adversaries  Adv  containing  static  adversaries 
that  corrupt  any  subset  of  t  <  N  parties.  We  now  describe  three  different  types  of  adversaries: 
malicious,  semi-honest,  and  semi-malicious.  The  first  two  are  used  extensively  in  the  literature, 
while  the  latter  was  introduced  recently  by  Asharov  et  al.  [AJW11,  AJL+12].  Of  these,  malicious 
adversaries  are  the  strongest,  and  it  is  our  end  goal  to  achieve  security  against  them  in  all  our 
protocols. 

It  is  customary  to  prove  security  against  semi-honest  adversaries  as  a  stepping  stone  to  proving 
security  against  malicious  adversaries.  However,  in  this  work  we  follow  a  different  path  and  first 
prove  security  against  semi-malicious  adversaries.  We  then  show  how  to  modify  the  protocol  at 
hand  to  achieve  security  against  malicious  adversaries.  For  completeness,  we  describe  all  three 
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types  of  adversaries  below  and  describe  how  security  against  one  type  is  related  to  security  against 
another. 


Semi-Honest  Adversaries.  A  semi-honest  adversary,  also  known  as  an  honest-but-curious  ad¬ 
versary,  is  one  that  follows  the  protocol  as  described  (samples  randomness  from  the  correct  distri¬ 
bution,  and  computes  the  specified  message  at  each  round),  but  given  its  view  of  the  protocol  will 
try  to  learn  information  about  honest  players’  inputs. 


Malicious  Adversaries.  A  malicious  adversary  is  not  restricted  in  how  it  samples  random  el¬ 
ements  or  how  it  computes  its  messages  at  each  round.  It  can  sample  random  elements  from 
any  arbitrary  distribution,  and  compute  the  messages  of  corrupted  parties  in  any  arbitrary  way, 
adaptively,  according  to  the  partial  view  it  has  seen  up  to  that  point. 


Semi-Malicious  Adversaries.  Recall  that  an  adversary  is  modeled  as  an  interactive  Turing 
Machine  (ITM).  A  semi-malicious  adversary  is  an  ITM  with  an  additional  witness  tape.  At  each 
round  £  and  for  every  corrupted  party  Pj,  the  adversary  must  write  on  the  special  witness  tape, 

some  witness  pair  °f  input  and  randomness  that  explains  the  message  rri'p  sent  by  Pj  on 

that  round.  More  formally,  the  messages  of  a  corrupted  party  Pj  must  match  those  of  the  specified 
honest  protocol  when  at  each  round  £  party  Pj  is  run  with  input  and  randomness  (xf  '1 , • 

A  semi-malicious  adversary  can  sample  random  elements  from  any  arbitrary  distribution,  but  it 
must  follow  the  correct  behavior  of  the  honest  protocol  with  inputs  and  randomness  that  it  knows. 
It  is  therefore  weaker  than  a  malicious  adversary,  who  might  not  know  witnesses  for  the  messages 
it  sends  at  every  round,  but  stronger  than  a  semi- honest  adversary,  whose  witnesses  at  every  round 
are  distributed  honestly. 


From  Semi- Malicious  to  Malicious  Security.  Asharov  et  al.  [AJW11,  AJL+12]  show  how  to 
generically  transform  a  protocol  that  is  secure  against  semi-malicious  adversaries  into  one  that  is 
secure  against  malicious  adversaries.  The  idea  behind  the  compiler  is  to  have  each  party  prove  in 
zero-knowledge  that  every  message  it  sends  follows  the  honest  protocol  and  is  consistent  with  all 
previous  messages.  In  particular,  this  forces  all  parties  to  know  witnesses  that  explain  their  behavior 
at  every  round.  The  same  compiler  works  in  our  security  model  with  one  subtlety:  instead  of  using 
standard  zero-knowledge  proofs,  the  protocol  must  use  zero-knowledge  proofs  of  knowledge.  This 
is  to  ensure  that  the  simulator  can  extract  the  witness  w  -  from  the  proof  sent  on  round  £  by 
the  malicious  adversary  on  behalf  of  the  corrupted  party  Pj.  We  refer  the  reader  to  the  work  of 
Asharov  et  al.  [AJW11,  AJL+12]  for  more  details. 

Finally,  we  note  that  unlike  the  standard  GMW  compiler  from  senri-honest  security  to  malicious 
security  [GMW87],  the  parties  are  not  required  to  perform  any  coin- flipping.  This,  in  particular, 
reduces  the  round  complexity  of  the  resulting  protocol. 

2.5  Fully  Homomorphic  Encryption  (FHE) 

We  review  the  definitions  of  fully  and  leveled  homomorphic  encryption. 
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Definition  2.5  (C-Homomorphic  Encryption  [Gen09b]).  For  a  class  of  circuits  C,  a  C-horno- 
morphic  encryption  scheme  is  a  tuple  of  algorithms  £  =  (Setup,  Keygen,  Enc,  Dec,  Eval)  with  the 
following  syntax: 

•  params  Setup(lK):  For  security  parameter  n,  outputs  public  parameters  params.  All  other 
algorithms,  Keygen,  Enc,  Dec,  Eval,  implicitly  take  params  as  input,  even  when  not  explicitly 
stated. 

•  (pk,  sk,  ek)  Keygen(lK):  For  a  security  parameter  k,  outpus  a  public  key  pk,  a  secret  key 
sk,  and  a  (public)  evaluation  key  ek. 

•  c  Enc(pk,m):  Given  a  public  key  pk  and  a  message  m,  outputs  a  ciphertext  c. 

•  rn  :=  Dec(sk,c):  Given  a  secret  key  sk  and  a  ciphertext  c,  outputs  a  message  m. 

•  c  :=  Eval(ek,  C,  ci, _ ,  eg):  Given  an  evaluation  key  ek,  a  (description  of  a)  circuit  C  and  t 

ciphertexts  c\, . . . ,  eg,  outputs  a  ciphertext  c. 

We  require  that  for  all  c  €  C,  all  (pk,sk,  ek)  in  the  support  of  Keygen(lK)  and  all  plain¬ 
texts  (mi,...,ro;)  and  ciphertexts  (ci,...,q)  such  that  Ci  is  in  the  support  of  Enc(pk,  mf),  if 
c  :=  Eval(ek,  C,  c±, . . . ,  cf),  then  Dec(sk,  c)  =  C(mi, . . . ,  me). 

Definition  2.6  (Fully  Homomorphic  Encryption  [Gen09b]).  An  encryption  scheme  £  is  fully  ho¬ 
momorphic  if  it  satisfies  the  following  properties: 

Correctness:  £  is  C -homomorphic  for  the  class  C  of  all  circuits. 

Compactness:  The  computational  complexity  of  £  ’ s  algorithms  is  polynomial  in  the  security  pa¬ 
rameter  k,  and  in  the  case  of  the  evaluation  algorithm,  the  size  of  the  circuit. 

We  now  state  the  definition  of  leveled  homomorphic  encryption  from  [BGV12],  which  is  a  re¬ 
laxation  of  the  original  definition  of  fully  homomorphic  encryption  (Definition  2.6).  The  main 
difference  is  that  Definition  2.6  requires  all  algorithms  (decryption  in  particular)  to  be  indepen¬ 
dent  of  the  circuit (s)  that  the  scheme  can  evaluate.  Leveled  homomorphic  encryption  relaxes  this 
definition  to  let  all  algorithms  (including  decryption)  depend  on  the  circuit  depth  D. 

Definition  2.7  (Leveled  Homomorphic  Encryption  [BGV12]).  Let  be  the  class  of  all  circuits 
of  depth  at  most  D  (that  use  some  specified  complete  set  of  gates).  We  say  that  a  family  of 
homomorphic  encryption  schemes  {£^  :  D  £  Z +}  is  leveled  fully  homomorphic  if,  for  all  D  £  Z+, 
it  satisfies  the  following  properties: 

Correctness:  £(D)  is  -homomorphic. 

Compactness:  The  computational  complexity  of  's  algorithms  is  polynomial  in  the  security 
parameter  k  and  D,  and  in  the  case  of  the  evaluation  algorithm,  the  size  of  the  circuit.  We 
emphasize  that  this  polynomial  must  be  the  same  for  all  D. 
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2.5.1  Bootstrapping 

We  remind  the  reader  of  the  definition  of  a  bootstrappable  encryption  scheme  and  present  Gentry’s 
bootstrapping  theorem  [Gen09b,  Gen09a]  that  states  that  a  bootstrappable  scheme  can  be  converted 
into  a  fully  homomorphic  one. 

Definition  2.8  (Bootstrappable  Scheme).  Let  £  =  (Keygen,  Enc,  Dec,  Eval)  be  a  C-homomor-phic 
encryption  scheme,  and  let  /a dd  and  /mu|t  be  the  augmented  decryption  functions  of  the  scheme 
defined  as 


/addC2(ski>  •  •  • ’skAf)  =  Dec(ski,...,skjv,ci)  XOR  Dec(ski, . . .  ,skjv,  c2) 

/mu!t2(ski>  •  •  •  >skJv)  =  Dec(ski, . . .  ,skjv,ci)  AND  Dec(ski, . . .  ,sk7v,c2) 

£  is  bootstrappable  if  { f^2 ,  /m'u|t2  }C|  C2  —  namely,  if  it  can  homomorphically  evaluate  /acjd 
and  /mult- 

Definition  2.9  (Weak  Circular  Security).  A  public-key  encryption  scheme  £  =  (Keygen,  Enc,  Dec) 
is  weakly  circular  secure  if  it  is  IND-CPA  secure  even  for  an  adversary  with  auxiliary  informa¬ 
tion  containing  encryptions  of  all  secret  key  bits:  {Enc(pk, sk[i])}j.  Namely,  no  polynomial-time 
adversary  can  distinguish  an  encryption  of  0  from  an  encryption  of  1,  even  given  this  additional 
information. 

Theorem  2.3  (Bootstrapping  Theorem).  Let  £  be  a  bootstrappable  scheme  that  is  also  weakly 
circular  secure.  Then  there  exists  a  fully  homomorphic  encryption  scheme  £' . 

2.6  Rings 

In  this  section  we  introduce  preliminaries  to  our  concrete  constructions,  which  are  all  ring-based. 
Some  of  the  discussion  in  this  section  is  taken  verbatim  from  the  work  of  Brakerski  and  Vaikun- 
tanathan  [BVllb]. 

def  def 

We  work  over  rings  R  —  Z[x\/  (4>(x)}  and  Rq  —  R/qR  for  some  degree  n  =  n(n)  integer  poly¬ 
nomial  4>{x)  G  Z[x]  and  a  prime  integer  q  =  q(n)  G  Z.  Note  that  Rq  is  isomorphic  to  Zq[x\/  ((j>(x)), 
the  ring  of  degree  n  polynomials  modulo  <f)(x)  with  coefficients  in  Zq.  Addition  in  these  rings  is 
done  component-wise  in  their  coefficients  (thus,  their  additive  group  is  isomorphic  to  Zn  and  Zq 
respectively),  and  multiplication  is  polynomial  multiplication  modulo  <f(x)  (and  also  q,  in  the  case 
of  the  ring  Rq).  An  element  in  R  (or  Rq)  can  be  viewed  as  a  degree  {n  —  1)  polynomial  over  Z  (or 
Z q).  We  represent  such  an  element  using  the  vector  of  its  n  coefficients.  In  the  case  of  Rq  each 
coefficient  is  in  the  range  {—  |_|J  , ...,  |_|J }.  For  an  element  a(x)  =  ao  +  a\x  +  . . .  +  an_ i xn~ 1  G  R , 
we  let  || all^  =  max|a*|  denote  its  norm. 

In  this  work,  we  set  (f>(x)  =  xn  +  1  where  n  is  a  power  of  two,  and  use  distributions  over  the 

def 

ring  R  =  Z[x\/  (4>(x)).  For  the  purpose  of  homomorphism,  the  only  important  property  of  these 
distributions  is  the  magnitude  of  the  coefficients  of  a  polynomial  output  by  the  distribution.  Hence, 
we  define  a  R-bounded  distribution  to  be  a  distribution  over  R  where  the  foe-norm  of  a  sample  is 
bounded  by  B. 

Definition  2.10.  (B-Bounded  Polynomial)  A  polynomial  e  G  R  is  called  R-bounded  if  HeU^  < 
B. 
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Definition  2.11.  (£>-Bounded  Distribution)  A  distribution  ensemble  {xK}KgN,  supported  over 
R,  is  called  B-bounded  (for  B  =  B(n))  if  for  all  e  in  the  support  of  Xk,  we  have  || e|| ^  <  B.  In 
other  words,  a  B -bounded  distribution  over  R  outputs  a  B -bounded  polynomial. 

The  following  lemma  says  that  multiplication  in  the  ring  Z[x]/  ( xn  +  1)  increases  the  norm  of 
the  constituent  elements  only  by  a  small  amount. 

Lemma  2.4.  Let  n  G  N,  let  <f(x)  =  xn  +  1  and  let  R  =  T\x\/  (4>(x)).  For  any  s,t  G  R, 

||s  •  t\\  <  y/n  •  ||s||  •  ||t||  and  ||s  •  t||oo  <  n  ■  ||s||oo  •  ||i||oc 
Lemma  2.4  yields  the  following  corollary. 

Corollary  2.5.  Let  n  G  N,  let  <f>(x)  =  xn  +  1  and  R  =  1\x\/  (f>{x)).  Let  x  be  a  B-bounded 
distribution  over  the  ring  R  and  let  -si, . . . ,  Sk  X ■  Then  s  =f  nf=i  si  (nk~1Bk) -bounded. 


2.6.1  Discrete  Gaussians 

For  any  real  r  >  0  the  Gaussian  function  on  Mn  centered  at  c  with  parameter  r  is  defined  as: 

VxGP  :  Prt c(x)  =f  e-A\*~zf/r2 


Definition  2.12.  For  any  n  G  N  and  for  any  c  G  Mn  and  real  r  >  0,  the  Discrete  Gaussian 
distribution  over  Z"  with  standard  deviation  r  and  centered  at  c  is  defined  as: 


Vx  G  Zn 


Ft'$Jn  ,r,c 


def 


Pr,  c(x) 
Pr,c(Zn) 


where  pr<c( Zn)  =f  pr< c(x)  is  a  normalization  factor. 

xezn 

We  present  some  elementary  facts  about  the  Gaussian  distribution.  The  first  fact  shows  that 
the  discrete  Gaussian  distribution  over  Z"  with  standard  deviation  r  outputs  a  (ry/n)-bounded 
polynomial  with  high  probability.  This  allows  us  to  define  a  truncated  Gaussian  distribution  that 
is  (ry/n)-bounded  and  statistically  close  to  the  discrete  Gaussian. 

Lemma  2.6  (MR07).  For  any  real  number  r  >  ui(\J\og  n),  we  have 

Pr  nidi  >  <  2_n+1 

X^Dzn,r  L  J 


Using  Lemma  2.6  together  with  the  fact  that  for  all  x  G  Mn,  ||x||  >  ||x||  yields  the  following 
bound. 


Lemma  2.7.  Let  n  =  a;(logK).  For  any  real  number  r  >  u:(y/\ogn),  we  have 

Pr  [Hxll^  >  rV^  <  2_n+1  =  negl(/«) 
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Define  the  truncated  Discrete  Gaussian  distribution  with  standard  deviation  r  and  centered 
at  c,  denoted  by  Dz^,r, c,  to  be  one  that  samples  a  polynomial  according  to  the  discrete  Gaussian 
Dzn,r,c  and  repeats  the  sampling  if  the  polynomial  is  not  (ry/n)-bounded.  As  long  as  n  =  iu(log(ft)), 
Lemma  2.7  implies  that  this  distribution  is  statistically  close  to  the  discrete  Gaussian  :  Din,r, c 

-^Zn,r,c* 

The  second  fact  says  that  the  statistical  distance  between  a  discrete  Gaussian  with  standard 
deviation  r  and  centered  at  0,  and  one  centered  at  c  £  Zn  is  at  most  ||c||  /r.  In  particular,  if  r  is 
super-polynomially  larger  than  ||c||  then  the  two  distributions  are  statistically  close. 

Lemma  2.8.  Let  n  £  N.  For  any  real  number  r  >  w(^/logn),  and  any  c  £  Zn,  the  statistical 
distance  between  the  distributions  and  c  is  at  most  ||c||/r. 

Corollary  2.9.  Let  c  £  Zn.  For  any  real  number  r  >  2aJ(logK)  ||c||,  the  distributions  Djn  r  and 
Dzn,r,c  are  statistically  close. 

2.6.2  The  Ring  LWE  Assumption 

We  now  describe  the  Ring  Learning  With  Errors  (RLWE)  assumption  of  Lyubaskevsky,  Peikert, 
and  Regev  [LPR10].  The  RLWE  assumption  is  analogous  to  the  standard  Learning  With  Errors 
(LWE)  assumption,  first  defined  by  Regev  [Reg05,  Reg09]  (generalizing  the  learning  parity  with 
noise  assumption  of  Blum  et  al.  [BFKL93]). 

The  RLWE<^,jiX  assumption  is  that  for  a  random  ring  element  s  <—  Rq,  given  any  polynomial 
number  of  samples  of  the  form  (a*,  bi  =  ■  s  +  e,)  £  Rq,  where  a.;  is  uniformly  random  in  Rq  and  e* 

is  drawn  from  the  error  distribution  y,  the  bfs  are  computationally  indistinguishable  from  uniform 
in  Rq.  We  use  the  Thermite  normal  form  of  the  assumption,  as  in  [BY  1  lb] ,  where  the  secret  s  is 
sampled  from  the  noise  distribution  y  rather  than  being  uniform  in  Rq.  This  presentation  is  more 
useful  for  the  purposes  of  this  work  and  is  equivalent  to  the  original  up  to  obtaining  one  additional 
sample  [ACPS09,  LPR10]. 

Definition  2.13.  (The  RLWE  Assumption  -  Hermite  Normal  Form  [LPR10])  For  all  n  £  N, 
let  4>{x)  =  4>k(x)  £  Z[x]  be  a  polynomial  of  degree  n  =  n(n),  let  q  =  q(n)  £  Z  be  an  odd  prime 

def  def 

integer,  let  the  ring  R  —  Z[x]/  (4>(x))  and  Rq  —  R/qR,  and  let  y  denote  a  distribution  over  the 
ring  R. 

The  Decisional  Ring  LWE  assumption  RLWE<^giX  states  that  for  any  t  =  poly(K)  it  holds  that 

Q 

{{ai,  Cli  •  S  +  Cj)}ig[f]  ~  {(®o^i)}ie[d  J 

where  s  is  sampled  from  the  noise  distribution  y,  ai  are  uniform  in  Rq,  the  “ error  polynomials”  e* 
are  sampled  from  the  error  distribution  y,  and  finally,  the  ring  elements  Ui  are  uniformly  random 
over  Rq. 

We  now  present  a  couple  of  facts  about  the  RLWE  assumption.  The  first  says  that  the  assumption 
also  holds  if  the  error  is  multiplied  by  2  in  every  sample.  This  follows  immediately  from  the  fact 
that  q  is  an  odd  prime  and  therefore  relatively  prime  with  2. 

Fact  2.10.  The  RLWE<^g>x  assumption  implies  that  for  any  i  =  poly(iv), 

Q 

{(<Zj,  ai  ■  s  +  2  •  ej)}jg[y|  ~  {(flu  ui)}ia[g\  ■ 

where  ai,Ui  are  uniformly  random  in  Rq  and  s,ei  are  drawn  from  the  error  distribution  y. 
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The  second  fact  says  that  the  assumption  also  holds  if  the  distinguisher  is  additionally  given 
samples  with  the  same  parameter  a j  and  different  secret  key  st.  This  follows  from  a  hybrid  argument 
that  slowly  changes  the  samples,  one  secret  at  a  time,  from  RLWE  to  uniform. 

Fact  2.11.  The  RLWE assumption  implies  that  for  any  £  =  poly(fc),t"  =  poly(ft), 

Q 

{(aji  aj  '  si  +  ei,j)}ie[£\ ~  {(aj)  ■ 

where  aj,Uij  are  uniformly  random  in  Rq  and  Si,eij  are  drawn  from  the  error  distribution  y. 

2.6.3  Choice  of  Parameters 

As  already  stated  above,  we  will  rely  of  the  following  specific  choices  of  the  polynomial  4>(x)  and 
the  error  distribution  y.  For  security  parameter  n  and  a  dimension  parameter  n  =  n(n)  which  is  a 
power  of  two: 

•  We  set  4>(x)  =f  xn  T  1  where  n  is  a  power  of  two. 

•  The  error  distribution  x  is  the  truncated  discrete  Gaussian  distribution  Din  r  with  standard 
deviation  r  >  0.  A  sample  from  this  distribution  is  a  (ry/rr)-bounded  polynomial  e  £  R. 

2.6.4  The  Worst-case  to  Average-case  Connection 

We  state  a  worst-case  to  average-case  reduction  from  the  shortest  vector  problem  on  ideal  lattices 
to  the  RLWE  problem  for  our  setting  of  parameters.  The  reduction  stated  below  is  a  special  case 
of  the  results  of  [LPR10]. 

Theorem  2.12  ([LPR10]).  Let  (f(x)  =  xn  +  1  where  n  is  a  power  of  two.  Let  r  >  uj(y/ log  n )  be  a 

def 

real  number,  and  let  q  =  1  (mod  2 n)  be  a  prime  integer.  Let  R  =  Z[x]/  (f>(x)).  Then  there  is 
a  randomized  reduction  from  2^h°gr!-)  .  [q/r)- approximate  R- SVP  to  RLWE<^g)X  where  x  =  L>z^,r  is 
the  discrete  Gaussian  distribution. 

Solving  approximate  R-SVP  to  within  a  sub-exponential  factor  is  believed  to  be  hard.  Thus,  if 
q/r  =  2°(n)  then  the  RLWE^^y  assumption  is  believed  to  be  hard. 

2.7  NTRU  Encryption 

We  describe  the  NTRU  encryption  scheme  of  Hofftein  et  al.  [HPS98] ,  with  the  modifications  pro¬ 
posed  by  Stehle  and  Steinfeld  [SSI lb].  For  security  parameter  k,  the  scheme  is  parameterized  by 
a  prime  number  q  =  q(n),  a  degree  n  =  n(n)  polynomial  <f{x)  €  Z[x],  and  an  error  distribution 
X  =  x(K)  over  the  ring  R  =f  T\x\/  (cj>(x)).  The  parameters  n,(f>,q,x  are  public  and  we  assume 
that  given  k,  there  are  polynomial-time  algorithms  that  output  4>  and  q,  and  sample  from  the  error 
distribution  y.  The  message  space  is  M  =  {0, 1},  and  all  operations  are  carried  out  in  the  ring  R 
(i.e.  modulo  4>(x)). 

•  Keygen(lK)  :  Sample  polynomials  f,g  *—  X  and  set  /  d=  2  f  +  1  so  that  /  =  1  (mod  2).  If 
/  is  not  invertible  in  Rq,  resample  f'\  otherwise,  let  f~1  be  the  inverse  of  /  in  Rq.  Set 

pk  d^f  h:=  [2gf-1]qeRq  ,  sk  d=  f  &  R 
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•  Enc(pk,  m )  :  To  encrypt  a  bit  m  £  {0, 1}  with  public  key  pk  =  h,  sample  polynomials  s,  e  <—  x 
and  output  the  ciphertext 

c  =f  [hs  +  2e  +  m]q  £  Rq 

•  Dec(sk,  c)  :  To  decrypt  a  ciphertext  c  £  Rq  with  secret  key  sk  =  /,  let  p  =f  [/c]?  and  output 
m  =f  //  (mod  2). 

It  is  easily  seen  that  this  scheme  is  correct  as  long  as  there  is  no  reduction  modulo  q.  To  decrypt 
a  ciphertext  c,  we  compute: 

[/c],  =  [fhs  +  2/e  +  fm\q  =  [2gs  +  2/e  +  fm\q 

If  there  is  no  reduction  modulo  q  then 

[fc]q  (mod  2)  =  2 gs  +  2/e  +  fm  (mod  2)  =  fm  (mod  2)  =  m 

Furthermore,  our  choice  of  parameter  <f>(x)  =  xn  +  1  ensures  there  is  no  reduction  modulo 
q.  Notice  that  since  the  coefficients  of  g ,  s,  e  are  all  bounded  by  B,  and  the  coefficients  of  /  are 
bounded  by  2 B  +  1.  By  Corollary  2.5,  we  know  that  the  coefficients  of  [fc]  are  bounded  by 
2nB2(2nB  +  1)(2 B  +  1).  As  long  as  we  set  q  to  be  large  enough  so  that  q/2  is  larger  than  this 
quantity,  a  fresh  ciphertext  generated  by  Enc  is  guaranteed  to  decrypt  correctly.  From  here  on,  we 
refer  to  //  =  [fc\q  £  Rq  as  the  “  error  in  ciphertext  c”. 

2.7.1  Security 

The  security  of  the  (modified)  NTRU  encryption  scheme  can  be  based  on  two  assumptions  -  the 
RLWE  assumption  described  in  Section  2.6,  as  well  as  an  assumption  that  we  call  the  (Decisional) 
Small  Polynomial  Ratio  (DSPR)  Assumption. 

Definition  2.14.  (Decisional  Small  Polynomial  Ratio  Assumption)  Let  cf>(x)  £  Z[x]  be  a 

polynomial  of  degree  n,  let  q  £  Z  be  a  prime  integer,  and  let  \  denote  a  distribution  over  the  ring 

def 

R  =  Z[x\/  (4>(x)).  The  (decisional)  small  polynomial  ratio  assumption  DSPR^j9;X  says  that  it  is 
hard  to  distinguish  the  following  two  distributions: 

•  a  polynomial  h  =f  \f2gf~l^q,  where  f  and  g  are  sampled  from  the  distribution  x  (conditioned 
on  f  =f  2/  +  1  being  invertible  over  Rq)  and  f is  the  inverse  of  f  in  Rq. 

•  a  polynomial  u  sampled  uniformly  at  random  over  Rq. 

The  security  proof  uses  a  hybrid  argument,  in  two  steps. 

1.  The  hardness  of  DSPR^igiX  allows  to  change  the  public  key  h  =  [2 gf~1]q  to  a  uniformly 
sampled  h. 

2.  Once  this  is  done,  we  can  use  RLWE^  g  x  to  change  the  challenge  ciphertext  c*  =  [hs  +  2e  +  m] 
to  c*  =  [u  +  m]  ,  where  u  is  uniformly  sampled  from  Rq. 

In  this  final  hybrid,  the  advantage  of  the  adversary  is  exactly  1/2  since  c*  is  uniform  over  Rq, 
independent  of  the  message  m. 
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Stehle  and  Steinfeld  [SSI lb]  showed  that  the  DSPR^g^  assumption  is  unconditionally  true 
even  for  unbounded  adversaries  (namely,  the  two  distributions  above  are  statistically  close)  if  n  is 
a  power  of  two,  (j)(x)  =  xn  +  1,  and  x  is  the  discrete  Gaussian  for  r  >  ^J~q  •  poly(n).  Thus, 

with  this  setting  of  parameters,  semantic  security  of  the  modified  NTRU  scheme  can  be  based  on 
the  RLWE0  g  x  assumption  alone. 

3  Multikey  FHE 

As  mentioned  earlier,  the  main  building  block  in  our  construction  of  on-the-fly  MPC  is  multikey 
FHE:  fully  homomorphic  encryption  that  allows  homomorphic  evaluation  on  ciphertexts  encrypted 
under  different  and  independent  keys.  In  this  chapter,  we  formally  define  multikey  FHE  and  show 
a  construction  for  any  number  of  keys  based  on  the  NTRU  encryption  scheme  [HPS98,  SSllb] 
described  in  Section  2.7.  We  also  show  that  any  FHE  scheme  is  inherently  multikey  for  a  constant 
number  of  keys  (in  the  security  parameter),  and  that  the  Brakerski-Vaikuntanathan  scheme  [BVllb, 
BGV12]  is  somewhat  homomorphic  for  a  logarithmic  number  of  keys. 

3.1  Definition 

To  formally  define  multikey  fully  homomorphic  encryption,  we  introduce  a  parameter  N ,  which  is 
the  number  of  distinct  keys  that  the  scheme  can  handle;  all  algorithms  will  depend  polynomially 
on  N.  This  is  similar  to  the  definition  of  leveled  homomorphic  encryption  from  [BGV12]  (see 
Definition  2.7),  but  we  note  that  in  our  definition,  the  algorithms  depend  on  N  but  are  independent 
of  the  depth  of  circuits  that  the  scheme  can  evaluate.  Thus,  we  consider  schemes  that  are  “leveled” 
with  respect  to  the  number  of  keys  N,  but  fully  homomorphic  ( “non-leveled” )  with  respect  to  the 
circuits  that  are  evaluated.  The  construction  of  multikey  FHE  schemes  that  are  not  leveled  with 
respect  to  the  number  of  keys  (i.e.,  where  all  algorithms  are  independent  of  N)  remains  an  open 
problem. 

Finally,  we  note  that  to  guarantee  semantic  security,  decryption  requires  all  corresponding  secret 
keys. 

Definition  3.1  (Multikey  C-Homonrorphic  Encryption).  Let  C  be  a  class  of  circuits.  A  family 
{f(A )  =  (Keygen,  Enc,  Dec,  Eval)}Ar>Q  of  algorithms  is  multikey  C-homomorphic  if  for  all  integers 
N  >  0,  £(n}  has  the  following  properties: 

•  (pk, sk, ek)  <—  Keygen(lK):  For  a  security  parameter  k,  outputs  a  public  key  pk,  a  secret  key 
sk  and  a  (public)  evaluation  key  ek. 

•  c  <—  Enc(pk,  m):  Given  a  public  key  pk  and  message  m,  outputs  a  ciphertext  c. 

•  m  :=  Dec  (ski, . . . ,  skjv,  c):  Given  N  secret  keys  ski,...,skjv  and  a  ciphertext  c,  outputs  a 
message  m. 

•  c  :=  Eval(C,  (ci,  pkl5  eki), . . . ,  (c£,  pk^,  ek^)):  Given  a  (description  of)  a  boolean  circuit  C  along 
with  l  tuples  ( Ci ,  pk,,  ek,),  each  comprising  of  a  ciphertext  Ci,  a  public  key  pki;  and  an  evalu¬ 
ation  key  ek,,  outputs  a  ciphertext  c. 

We  require  absence  of  decryption  failures  and  compactness  of  ciphertexts.  Formally:  for 
every  circuit  C  6  C,  all  sequences  of  N  key  tuples  { (pk'- ,  sk'-,  ek'- )  each  of  which  is  in 
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the  support  of  Keygen(lK),  all  sequences  of  l  key  tuples  {(pk;,  sk;,  eki)}ig^  each  of  which  is  in 
{  (pkj,  sk'-,  ek')  }  j  e  [tv]  ’  an ^  P^n^ex^s  (mu  mt)  and  ciphertexts  (c\, . . . ,  eg)  such  that  Ci 
is  in  the  support  of  Enc(p k^nii),  Eval  satisfies  the  following  properties: 

Correctness:  Let  c  :=  Eval(C,  (ci,  pkx,  eki), . . . ,  (eg,  pk^,  ek^)).  Then 
Dec  (sk'j , . . .  ,sk'v,c)  =  C(m  i,...,me).6 

Compactness:  Let  c  :=  Eval(C,  (ci,  pk1,  eki), . . . ,  (eg,  pk^,  ek^)).  There  exists  a  polynomial  P 
such  that  |c|  <  P(k,N).  In  other  words,  the  size  of  c  is  independent  of  I  and  \C\.  Note, 
however,  that  we  allow  the  evaluated  ciphertext  to  depend  on  the  number  of  keys,  N. 

Definition  3.2  (Multikey  Fully  Homomorphic  Encryption).  A  family  of  encryption  schemes 
j£(A')  _  (Keygen,  Enc,  Dec,  Eval)}Ar>Q  is  multikey  fully  homomorphic  if  it  is  multikey  C-homomor- 
phic  for  the  class  C  of  all  circuits. 

Semantic  security  of  a  multikey  FHE  follows  directly  from  the  semantic  security  of  the  under¬ 
lying  encryption  scheme  in  the  presence  of  the  evaluation  key  ek.  This  is  because  given  ek,  the 
adversary  can  compute  Eval  himself.  Note  that  taking  N  =  1  in  Definition  3.1  and  Definition  3.2 
yield  the  standard  definitions  of  C-homomorphic  and  fully  homomorphic  encryption  schemes  (Def¬ 
inition  2.5  and  Definition  2.6). 

3.2  Multikey  FHE  for  a  Small  Number  of  Keys 

As  a  prelude  to  our  main  result  in  Section  3.3,  we  show  that  multikey  homomorphic  encryption  for 
a  small  number  of  keys  can  be  easily  achieved.  In  particular,  we  show  that  any  (standard)  FHE 
can  be  converted  into  a  multikey  FHE  for  a  constant  number  of  keys,  N  =  0(1).  Furthermore, 
we  show  that  the  Brakerski-Vaikuntanathan  (ring-based)  FHE  [BVllb]  is  multikey  homomorphic 
for  a  logarithmic  number  of  keys,  N  =  O(logft).  Unfortunately,  once  we  introduce  multiple  keys 
we  are  unable  to  use  either  relinearization  or  squashing,  and  can  therefore  only  obtain  a  somewhat 
homomorphic  encryption  scheme. 


3.2.1  0(1)-Multikey  FHE  from  any  FHE 

We  show  that  any  FHE  scheme  is  inherently  multikey  for  a  constant  number  of  keys,  N  =  0(1). 7 
Let  £  =  (Keygen,  Enc,  Dec,  Eval)  be  an  FHE  scheme  with  message  space  {0, 1}  and  ciphertext  space 
{0, 1}A  where  A  =  p(n)  for  some  polynomial  p(-).  For  x  E  {0, 1}*,  define  x[i]  to  be  the  ith  bit  of  x, 
and  define  Enc  to  be  the  bit-wise  encryption  of  x: 

- -  Hpf 

Enc(pk,x)  =  (Enc(pk,  x[l]), . . . ,  Enc(pk,  x[|a;|])) 


6Note  that  correctness  still  holds  even  if  the  circuit  C  completely  ignores  all  ciphertexts  encrypted  under  a  public 
key  pk',  or  if  none  of  the  original  ciphertexts  were  encrypted  under  this  key.  In  other  words,  using  superfluous  keys 
in  the  decryption  process  does  not  affect  its  correctness  (as  long  as  decryption  uses  at  most  N  keys). 

'The  idea  for  this  construction  was  originally  suggested  to  us  by  an  anonymous  STOC  2012  reviewer.  We  include 
it  in  this  dissertation  and  formally  prove  its  correctness  for  the  sake  of  completeness. 
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Furthermore,  for  any  k  £  N,  recursively  define  “onion”  encryption  and  decryption: 


def 


Enc*(pk,  x)  —  Enc(pk,.x) 

Enc*(pk1,...,pkfc,x)  =f  Enc*(pk1,...,pkfc_1,Enc(pkfc,®)) 

„  ,  ,  a|fEnc(pk1,Enc(pk2,...,Enc((pkfe,a;))) 

Dec  (sk,x)  =  Dec(sk,  x) 

Dec*  (ski,  •  •  • ,  sk*.,  x)  =f  Dec*  (sk2, . . . ,  pkfc,  Dec  (ski,  x)) 

=  Dec  (sk*.,  Dec(skfc_!, . . . ,  Dec  (ski,  x))) 

We  highlight  two  properties  of  “onion”  encryption  and  decryption: 

1.  First,  note  that  Enc*  and  Dec*  satisfy  correctness:  if  (pk?:, sk,;)  <—  Keygen(lK)  for  all  i  £  [k], 
then  for  all  m  £  {0, 1}: 


Dec*  (ski,. .  •  ?  sk/,..  Enc*  (pk1; . . . ,  pkfc,m))  =  m 

2.  Second,  note  that  the  bit-size  of  the  ciphertext  Enc*  (pk1; . . . ,  pkfc,  rn)  is  \k.  Recall  that  the 
ciphertext  space  of  Enc  is  {0, 1}A  and  A  =  p(n)  for  some  polynomial  p(-). 

Construction  Overview.  We  now  give  an  overview  of  the  construction.  Given  N  ciphertexts 
C{  <—  Enc  (pkj,  rrii )  encrypting  plaintext  rnt  under  key  pkj,  for  all  i  £  [N],  it  is  possible  to  homomor- 
phically  compute  “onion”  ciphertexts: 


Zi  «  Enc*  (pkl7 . . . ,  pkN, rrii) 

This  is  done  by  homomorphically  evaluating  the  function  Enc*  (pki+1 , . . . ,  pk^,  •  )  on  cipher- 
text  Ci .  This  outputs  an  onion  encryption  zt  «  Enc*  (pkj, . . . ,  pkjv,mi).  The  ciphertext  can  be 
obtained  by  onion  encrypting  ij  with  the  remaining  keys:  Zi  =  Enc*  (pkl5 . . . ,  pki_1,  Zij 

Once  the  ciphertexts  z\,...,zn  have  been  obtained,  we  can  recursively  perform  homomorphic 
evaluations  corresponding  to  the  keys  pkx , . . . ,  pk^  (in  that  order),  to  obtain  a  ciphertext: 

c~  Enc*  (pk1; . . .  pkN,  C (mi, . . .  ,mN)) 

By  correctness  of  “onion”  encryption,  decrypting  c  can  be  easily  achieved  using  “onion”  de¬ 
cryption: 

Dec*  (ski, . . .  ,skfc,c)  =  C  (mi, . .  .,mN) 

However,  recall  that  the  size  of  each  ciphertext  Z{  is  XN  =  p(n)N  for  some  polynomial  p(-).  This 
means  that  the  multikey  homomorphic  evaluation  is  efficient  only  if  N  =  0(1).  Thus,  this  generic 
construction  of  multikey  FHE  from  (standard)  FHE  allows  only  a  constant  number  of  keys. 

Formal  Description.  We  now  give  a  formal  description  of  the  generic  multikey  construction, 
and  prove  its  correctness.  Let  £  =  (Keygen,  Enc,  Dec,  Eval)  be  an  FHE  scheme  with  message  space 
{0, 1}  and  ciphertext  space  {0, 1}A  where  A  =  p(n)  for  some  polynomial  p(-).  Let  Enc*  and  Dec* 
be  the  “onion”  encryption  and  decryption  algorithms  described  above. 

•  GMK.Keygen(lK)  :  Run  Keygen(lK). 
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•  GMK.Enc(pk,  m)  :  Run  Enc(pk,  m). 


•  GMK.Dec  (ski, . . . ,  sk/v,  c)  :  Output  Dec*  (ski,  •  •  • ,  skjv,  c). 


GMK.Eval  (C,  (ci,  pkx,  eki)  , . . . ,  (cat,  pk^-,  ekjy))  :  For  i  G  [AT] ,  define 

Gi(x)  =f  Enc*  (pkj+i, ,  pkjv,  x  ;  r) 

for  some  fixed  and  valid  randomness  r,8  and  recursively  define 

r<{k)(  \  def  f  C  (x 

■  ■ '--'N  \  Eval  (ekfc+i,C(fc+1),xi, . . .  ,xN) 


for  k  =  N 
for  k  <  N 


For  i  G  [N\,  compute 

Zi  =f  Eval  (ekt,Gj,Cj)  ,  2:,  d=  Enc*  (pk1; . . . ,  pki_x,  zf) 

and  output  the  ciphertext  c  =f  Eval  (eki,  C^\  z\, ... ,  zn)  ■ 

Theorem  3.1.  The  encryption  scheme  <?gmk  =  (GMK. Keygen,  GMK. Enc,  GMK.Dec, 

GMK.Eval)  is  multikey  fully  homomorphic  for  N  =  0(1)  keys. 

Proof.  To  prove  correctness  of  evaluation,  we  wish  to  prove  that  if  (pkj,  skj,  ek;)  is  in  the  support 
of  GMK.Keygen(lK)  =  Keygen(lK)  and  ct  <—  GMK. Enc  (pki;  mf)  =  Enc  (pkj,  mf),  then 

GMK.Dec  (ski, . . . ,  skAr,  c)  =  Dec*  (ski,  •  •  • ,  sk^,  c)  =  C  (mi, . . . ,  uin) 


We  first  show  that  each  zt  is  a  valid  “onion”  encryption  of  rnt .  By  correctness  of  evaluation 
with  evaluation  key  ekj,  we  know  that 

Dec  (skj,  Zi)  =  Gi  ( rrii )  =  Enc*  (pkm, . . . ,  pk N,mt  ;  r) 

and  by  correctness  of  encryption,  we  conclude  that 

Dec*  (sk*, . . . ,  sk^,  zf)  =  mi  and  Dec*  (ski,  •  • . ,  skAr,  zf)  =  m; 

We  now  make  the  following  claim,  which  constitutes  the  bulk  of  the  proof. 

Claim  3.1.1.  For  every  k  G  [N], 

Dec*  (ski, . . .  ,skfc,c)  =  Ck  •  •  • , 4^) 

where  z ^  d=  Dec*  (ski , . . . ,  sk/^,  zf) . 

In  particular,  for  k  =  N,  this  claim  implies: 

Dec*  (ski,...,skjv,c)  =  C(Ar)  (z[N\  . . . ,  z$' ’)  =  C(mi, . . .  ,mjv) 

where  the  second  equality  follows  from  the  fact  that  Cn  =  C  by  definition,  and  the  fact  that 
z\N^  =  Dec*  (ski, . . . ,  skAr,  zf)  =  mj,  which  we  proved  earlier. 

It  thus  suffices  to  prove  Claim  3.1.1  to  conclude  the  proof  of  the  theorem. 

8 We  need  to  include  the  randomness  in  the  definition  because  we  want  Gt(x)  to  be  a  deterministic  circuit  with  x 
as  its  sole  input. 
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Proof.  We  prove  Claim  3.1.1  by  induction.  The  base  case,  k  =  1,  follows  directly  from  correctness 
of  evaluation  and  correctness  of  decryption: 


Dec*  (ski,  c)  =  C(1)  (Dec  (ski,  zi) , . . . ,  Dec  (ski,  zN))  =  C(1)  . . . ,  4^) 

Now  suppose  that  the  claim  holds  for  k  —  1;  that  is,  suppose 

Dec*  (ski, . . .  ,skfc_i,c)  =  C(k^1]  -  •  •  > ^_1)) 

Decrypting  both  sides  by  sk^  yields: 

Dec*  (ski,...,skfc,c)  =  Dec  (skk,  . . . ,  ^_1))) 

=  Dec  (skfc,Eval  (ekk,  C{k\  z^~l\  . . . ,  4£-1))) 

=  C{k)  ^Dec  (skfc,4fc_1))  ,  •  •  • ,  Dec  (skfe,4y_1))) 

=  C(fc)  (z[k) , . . . ,  z[k)^j 

where  the  second-to-last  equality  follows  from  correctness  of  evaluation  and  correctness  of  decryp¬ 
tion.  This  concludes  the  inductive  step  and  the  proof.  □ 

□ 


3.2.2  0(log  ft)-Multikey  FHE  from  Ring-LWE 

We  now  show  that  the  Brakerski-Vaikuntanathan  FHE  [BVllb]  based  on  the  RLWE  assumption  is 
multikey  somewhat  homomorphic  for  N  =  0(log  k)  keys. 

Decryption  in  Regev-style  encryption  consists  of  computing  the  inner  product  (c,  s)  (mod  2), 
where  c,  s  e  are  the  ciphertext  and  secret  key,  respectively.  Brakerski  and  Vaikuntanathan 
[BVllb]  generalize  this  to  allow  the  ciphertext  and  secret  key  to  grow  in  dimension.  For  c,  s  £  Rg, 
they  define:  Dec(s,  c)  =  (c,  s)  (mod  2).  Homomorphic  operations  are  then  defined  as  follows: 

dgf 

•  Given  two  same-length  ciphertexts  ci  and  C2,  output  the  ciphertext  cadd  =  Ci  +  C2  as  an 
encryption  of  the  sum  of  the  underlying  messages. 

The  ciphertext  cacjd  is  decryptable  with  the  same  secret  key  s  since 

(ci  +  c2,s)  =  (ci,s)  +  (c2,s) 

•  Given  two  ciphertexts  ci  and  c2  of  potentially  different  length ,  output  the  ciphertext  cmu|t  = 
ci  <8>  c2  as  the  product  of  the  underlying  messages. 

The  ciphertext  cmu|t  is  now  decryptable  with  the  secret  key  s  <8)  s  since 

(ci  (g)  c2,  s  (g)  s)  =  (ci,s)  •  (c2 ,  s) 

We  can  extend  this  to  the  multikey  setting.  Multiplication  is  trivial,  but  some  changes  are 
necessary  in  the  case  of  addition. 
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•  Given  two  same-length  ciphertexts  ci  and  C2  decryptable  with  secret  keys  si,S2  respectively, 

def 

output  the  ciphertext  cadd  =  (ci,  C2)  as  an  encryption  of  the  sum  of  the  underlying  messages. 
The  ciphertext  cadd  is  decryptable  with  the  same  secret  key  (si,S2)  since 

((ci, c2),  (si, s2))  =  (ci, si)  +  (c 2,  s2) 

•  Given  two  ciphertexts  ci  and  C2  decryptable  with  secret  keys  si,  S2  respectively,  and  of  poten- 

d©f 

tially  different  length ,  output  the  ciphertext  cmu|t  =  ci<g)C2  as  the  product  of  the  underlying 
messages. 

The  ciphertext  cmu|t  is  now  decryptable  with  the  secret  key  si  (g)  S2  since 

(ci  Cg  c2,  si  <g>  s2)  =  (ci,  si)  •  (c2,  s2) 

Observe  that  each  homomorphic  operation  (at  most)  doubles  the  size  of  the  ciphertext.  Starting 
with  fresh  ciphertexts  of  length  2,  after  (IV— 1)  operations  (which  can  combine  ciphertexts  encrypted 
under  at  most  N  distinct  keys),  the  size  of  both  the  ciphertext  and  the  joint  decryption  key  is  2N . 
This  is  only  feasible  if  N  =  O(logft). 

As  shown  in  the  work  of  Brakerski  and  Vaikuntanathan  [BVllb],  the  scheme  can  evaluate 
circuits  of  depth  D  <  e  log  n  — log  log  n+ 0(1),  where  q  =  2"”  for  constant  e  G  (0, 1).  Unfortunately, 
we  do  not  know  how  to  apply  relinearization  or  squashing  in  the  multikey  setting,  and  are  therefore 
not  able  to  convert  the  resulting  multikey  scheme  into  a  leveled  or  fully  homomorphic  one. 

3.3  Multikey  Somewhat  Homomorphic  Encryption  for  Any  Number  of  Keys 

We  now  turn  to  our  main  result  in  this  section:  we  construct  a  multikey  somewhat  homomorphic 
encryption  scheme  based  on  the  (modified)  NTRU  encryption  scheme  [HPS98,  SSI  lb]  described 
in  Section  2.7.  Unlike  the  schemes  in  Section  3.2,  the  scheme  we  describe  in  this  section  will  be 
multikey  for  N  ~  n£  keys,  with  constant  e  G  (0, 1).  In  Section  3.4,  we  show  how  to  convert  the 
scheme  into  a  multikey  fully  homomorphic  scheme  for  N  ~  n£  keys.  By  setting  n  ~  N 1/,£,  we  can 
construct  a  multikey  FHE  for  any  number  of  keys  N,  as  long  as  A  is  known  a-priori. 

We  begin  by  informally  describing  the  multikey  homomorphic  properties  of  NTRU  encryption 
and  some  of  the  problems  encountered  when  trying  to  convert  the  scheme  from  Section  2.7  into  a 
somewhat  homomorphic  one.  We  then  show  a  formal  description  of  our  somewhat  homomorphic 
scheme,  formally  prove  its  homomorphic  properties,  and  discuss  its  security.  In  Section  3.4,  we 
show  how  to  convert  this  scheme  into  a  fully  homomorphic  scheme. 

3.3.1  Multikey  Homomorphism 

Recall  from  Section  2.7  that  an  NTRU  key  pair  consists  of  ring  elements  (h,  f)  such  that  h  = 
[2 gf~1]q,  where  g ,  /  are  “small”  ring  elements  sampled  from  a  H-bounded  distribution  y,  and 
is  the  inverse  of  /  in  Rq.  Further  recall  that  an  NTRU  ciphertext  has  the  form  c  =  [hs  +  2e  +  m\q 
for  “small”  elements  s,e  sampled  from  y,  and  decryption  computes  [fc]  (mod  2). 

def 

Let  and  (/i2,/2)  be  two  different  NTRU  public/secret  key  pairs,  and  let  c\  — 

def 

[h\S\  +  2ei  +  mi]  and  C2  =  [/12S2  +  2e2  +  m 2]  be  two  ciphertexts,  encrypted  under  public 

keys  h\  and  hi,  respectively.  We  show  how  to  compute  ciphertexts  that  decrypt  to  the  sum  and 
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the  product  of  the  underlying  plaintexts,  m\  and  m2.  In  particular,  we  show  that  the  “ciphertexts” 
dsf  dcf 

Cmuit.  =  ci  •  C2  and  cadd  =  ci  +  C2  can  be  decrypted  to  the  product  and  the  sum  of  mi  and  m2 

def 

respectively,  using  the  secret  key  / 12  =  fi  •  fi- 
To  see  this,  note  that 

[/i/2(ci  +  c2)]q  =  [2/i/2ei  +  2/i/2e2  +  2fog1s1  +  2fxg2s2  +  +  m2)]q 


[/i/2(ci  •  c2)\q  =  [4gig2s1s2  +  2gisif2(2e2  +  m2)  +  2g2s2fi(2e1  +  mi)  + 

2f\f2[e\m2  +  e2mi  +  2eie2)  +  /i/2(mim2)]g 
=  77ii  •  m 2  (mod  2) 

Since  f\  =  f2  =  l  (mod  2),  we  can  conclude  that  as  long  as  there  is  no  reduction  modulo  q. 

[f  1/2(01  +  c2)]q  (mod  2)  =  mi  +  m2  (mod  2) 

[/i/2(ci  •  c2)\q  (mod  2)  =  mi  •  m2  (mod  2) 

def 

In  other  words,  the  “joint  secret  key”  f\2  =  f\f2  can  be  used  to  decrypt  cacid  =  [ci  +  c2]q  and 
Cmuit  =  [ci  •  c2]q.  We  can  extend  this  argument  to  any  combination  of  operations,  with  ciphertexts 
encrypted  under  multiple  public  keys. 

Of  course,  the  error  in  the  ciphertexts  will  grow  with  the  number  of  operations  performed  (as 
with  all  known  fully  homomorphic  encryption  schemes).  Thus,  correctness  of  decryption  will  only 
hold  for  a  limited  number  of  operations.  We  can  show  that  the  scheme  can  correctly  evaluate 
circuits  of  depth  roughly  elog(n)  when  q  =  2nE  and  B  =  poly(n). 

Problems  in  Multikey  Decryption.  An  astute  reader  will  have  observed  that  in  order  to 
successfully  decrypt  a  ciphertext  that  was  the  result  of  a  homomorphic  evaluation,  we  must  know 
the  circuit  that  was  evaluated.  For  example,  to  decrypt  c\+c2  we  need  to  multiply  by  f\f2,  whereas 
to  decrypt  c\  +  c|  we  need  to  multiply  by  fif2.  This  is  unsatisfactory. 

Furthermore,  consider  what  happens  when  we  add  or  multiply  two  ciphertexts  c,  d  that  are 
themselves  a  result  of  homomorphic  evaluation.  Suppose,  for  example,  that  c  =  C1C2  and  d  =  C2C3, 
where  C{  is  encrypted  under  ht  for  i  £  {1,2,3}.  We  know  c  can  be  decrypted  using  f\f2  and  d  can 
be  decrypted  using  f2f:i-  Thus,  we  know  that 

[/1/2  •  c\q  =  2e  +  fifom  ,  [/2/3  •  c]  q  =  2d  +  f2f3m' 

for  some  messages  m  and  m!  and  error  terms  e  and  d .  Following  the  discussion  above,  we  can  see 
that  c-\-d  can  be  decrypted  using  the  key  /1/2/3: 

[/1/2/3  '  (c  +  c)\  q  =  [/3(/i/2  •  c)  +  /i(/2/3  •  d)\  q  =  2  (/3e  +  he)  +  /i/2/3(m  +  rri) 

In  general,  given  a  ciphertext  c  encrypted  under  a  set  of  keys  K ,  and  d  encrypted  under  a  set 
of  keys  K' ,  their  sum  can  be  decrypted  using  the  product  of  the  keys  in  the  union  K  U  K' .  We 
note  that  the  absolute  magnitude  of  the  coefficients  of  this  product  grows  exponentially  with  the 
number  of  keys  in  K  UK1,  i.e.  the  total  number  of  keys  involved  in  the  homomorphic  computation. 
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Analogously,  in  the  context  of  homomorphic  multiplication,  we  need  /1/I/3  to  decrypt  c  •  d: 
[/1/2/3  •  (c  •  c')\q  =  [(/1/2  •  c)  •  (/2/3  •  c')\q  =  2Emuk  +  ■  m) 

where  £mu|t  =f  2ee'  +  ef^fzm!  +  e!  f\  This  hints  at  the  fact  that  the  magnitude  of  the 

coefficients  of  the  joint  secret  key  needed  to  decrypt  an  evaluated  ciphertext  grows  exponentially 
with  the  degree  of  the  evaluated  circuit  (and  not  just  with  the  number  of  keys  involved,  as  in  the  case 
of  addition).  Indeed,  after  M  multiplications,  the  joint  secret  key  needed  to  decrypt  the  evaluated 
ciphertext  will  be  the  product  of  M  polynomials,  and  the  magnitude  of  the  coefficients  of  this 
product  will  be  exponential  in  M. 

Our  Solution.  To  solve  the  above  problems,  we  use  relinearization  (also  known  as  key- switching) , 
a  technique  first  introduced  by  Brakerski  and  Vaikuntanathan  [BVlla].  Informally,  we  introduce 
a  (public)  evaluation  key  ek  that  will  be  output  by  the  Keygen  algorithm.  Every  time  we  multiply 
ciphertexts  that  share  a  key  /;,  we  will  use  the  evaluation  key  to  ensure  that  we  only  need  fi,  and 
not  ff,  to  decrypt  the  new  ciphertext.  This  ensures  two  things. 

1.  First,  it  ensures  that  to  decrypt  a  ciphertext  c*,  we  only  need  to  multiply  it  by  one  copy  of 
each  secret  key,  making  decryption  independent  of  the  circuit  used  to  produce  c* . 

2.  Second,  it  ensures  that  the  size  of  the  joint  secret  key  needed  to  decrypt  the  new  ciphertext 
depends  only  on  the  number  of  keys  TV,  and  not  on  the  degree  of  the  circuit  C  that  was 
evaluated. 

Though  we  are  able  to  eliminate  the  dependence  (of  the  magnitude  of  the  coefficients  of  the 
joint  secret  key)  on  the  degree  of  the  circuit,  we  remark  that  we  do  not  succeed  in  eliminating  the 
exponential  dependence  on  TV,  the  number  of  keys  -  indeed,  this  is  the  reason  why  our  solution  will 
eventually  assume  an  a-priori  upper  bound  on  TV. 

3.3.2  Formal  Description 

We  present  a  formal  description  of  our  multikey  somewhat  homomorphic  encryption  scheme  based 
on  the  (modified)  NTRU  encryption  scheme  [HPS98,  SSllb]  described  in  Section  2.7. 

•  SH.Keygen(lK)  :  Sample  f  ,g  <—  x  and  set  /  :=  2 f  +  1  so  that  /  =  1  (mod  2).  If  /  is  not 

invertible  in  Rq,  resample  f ;  otherwise  let  f~1  be  the  inverse  of  /  in  Rq.  Set 

pk  ^  h:=[2gf-\eRq  ,  sk  d=  f  &  R 

Sample  s,e  <—  ^rios <?1  anc[  compute  ek  d=  [hs  +  2e  +  Pow  (f)]q  G  r[1°s<j\  Output  the  key 
tuple  (pk,  sk,  ek). 

•  SH.Enc(pk,  m)  :  Sample  s,  e  <—  x-  Output  the  ciphertext  c  :=  hs  +  2e  +  m  G  Rq. 

•  SH.Dec(ski, . . . ,  skjy,  c)  :  Parse  sk;  =  fi  for  i  €  [TV],  Compute  p  =  [/1  •  •  •  /at  •  c]  €  Rq  and 

output  m  :=  n  (mod  2). 
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•  SH.Eval((7,  (ci,  pkl5  eki), . . . ,  (q,  pkf,  ek^)):  We  show  how  to  evaluate  an  ^-variate  boolean 
circuit  C  :  {0, 1}^  — ►  {0, 1}  of  depth  D.  To  this  end,  we  show  how  to  homomorphically  add 
and  multiply  two  elements  in  {0, 1}.  Given  two  ciphertexts  c,  d ,  we  assume  that  we  also  have 
a  set  of  distinct  public  keys  associated  with  each  ciphertext.9  We  will  denote  these  lists  by 
K,  K\  respectively.  The  public-key  set  of  a  fresh  encryption  is  simply  the  set  { pk}  containing 
the  public  key  under  which  it  was  encrypted.  For  convenience,  in  our  analysis  we  sometimes 
assume  that  the  set  contains  the  indices  of  the  public  keys  instead  of  the  keys  themselves. 

—  Given  two  ciphertexts  c  and  d  with  corresponding  public-key  sets  K  and  K' ,  output  the 
ciphertext 

cadd  =  [c  +  </]  q  6  Rq 

as  an  encryption  of  the  sum  of  the  underlying  messages.  Output  the  set  iiadd  =  K  U  K' 
as  its  corresponding  public-key  set. 

—  Given  two  ciphertexts  c  and  d  with  corresponding  public- key  sets  K  and  K' ,  compute 
ciphertext  co  =  [c  •  d\q  E  Rq. 

*  If  K  n  K'  =  0,  let  cmuit  =  co- 

*  Otherwise,  let  K  n  K'  =  {pk^, . . . ,  pkit|.  For  j  6  [f],  compute  Cj  = 

[(Bit  (cj- 1)  ,  ekj^.)]  ,  and  let  cmu|t  =  ct  at  the  end  of  the  iteration. 

In  either  case,  output  cmu|t  as  an  encryption  of  the  product  of  the  underlying  messages, 
and  output  the  set  /imuit  =  K  U  K'  as  its  corresponding  public-key  set. 

For  a  set  S  C  [N],  let  fs  =f  ][J  ft  ■  Note  that  the  ciphertext  co  can  be  decrypted  to 

ieS 

m  ■  m!  with  the  “joint”  secret  key  Jk/k'  ,  which  contains  the  term  ff  . . .  ff  .  The  goal 
of  relinearization  is  to  convert  it  into  a  ciphertext  that  decrypts  to  the  same  message 
under  the  secret  key 

/a'/a''  f  J]  /j  j  =  f  KUK' 

'jeKnK'  J 

which  replaces  the  term  ff  ■  ■  ■  fft  with  the  term  . . .  /,;t . 

We  first  show  that  the  scheme  works  correctly  as  advertised: 

Lemma  3.2.  If  q  =  2nE  for  e  6  (0,1)  and  x  is  a  B-bounded  distribution  for  B  =  poly(ro),  then 
the  encryption  scheme  £sh  =  (SH. Keygen,  SH.Enc,  SH. Dec,  SH.Eval)  described  above  is  multikey 
homomorphic  for  N  =  O  (n5)  keys  and  circuits  of  depth  D  <  (e  —  5)  logn  —  log  log  n  —  0(1). 

Proof.  We  define  the  (multikey)  error  of  a  ciphertext  c  with  corresponding  public-key  set  I\  to  be 

def 

H  —  [fx  ■  c]  .  We  start  by  showing  that  the  magnitude  of  the  error  coefficients  does  not  grow 
too  much  after  a  homomorphic  evaluation. 

Claim  3.2.1.  Let  c,d  be  ciphertexts  encrypting  m  and  m! ,  respectively,  and  suppose  that  the 
magnitude  of  their  error  coefficients  is  bounded  by  E  <  q/2.  Then  cadd  and  cmu|t  correctly  decrypt 
to  in  +  m!  and  m  ■  m' ,  respectively,  and  their  error  coefficients  are  bounded  by  (nB)2N E2 . 

9That  is,  we  assume  each  set  contains  distinct  public  keys,  but  the  intersection  of  any  two  sets  might  not  be  empty. 
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Proof.  Let  c,  d  be  encryptions  of  m,  rn! ,  respectively,  with  corresponding  public-key  sets  K,  K' .  We 
know  that  for  some  e,  e'  E  R  we  have: 

[Ik  ■c\q  =  2e  +  m  ,  [fK>  -c]q  =  2e'  +  m 

and  \\2e  +  m\\ ^  ,  \\2e'  +  <  E.  Then 

\fl< add  •  cadd]g  =  [fKUK’  ■  (c+  d)\q  =  [f K\K'(f K  '  c)  +  f k'\kU K>  '  c)\q 
=  f K\K'  (2c  +  m)  +  fK'\K(2e'  +  m') 

We  can  thus  bound  the  magnitude  of  the  coefficients  of  [/#add  •  cadd]g  by  2 (n.B)N  E  <  (nB)2N E2 ,  as 
desired.  Furthermore,  it  easy  to  see  that  [fxM  •  cadd]g  (mod  2)  =  m  +  rn! . 

The  multiplication  case  is  more  complex.  Let  K  fi  K'  =  {*i , . . . ,  i*},  as  before.  Define 

To  =f  f k  f k'  ,  and  for  j  E  [t] ,  define  Fj  =  Fj_  i  •  / ~ 1 .  Then  Fr  =  /k\jk'  is  a  simple  product 
of  the  secret  keys  fi,  without  any  quadratic  terms.  We  know  that 


so  that 


[*0  •  C0]q 


[^o  •  c0]q  =  [(fK  ■  c)(fK>  ■  cK)]q  =  (2e  +  m){2e'  +  m!) 

<  nE 2  and  [Fq  ■  co]q  (mod  2)  =  m  ■  m! .  Furthermore,  for  all  j  E  [t], 


[Fj  •  cj\q  =  [FJ  •  (Bit  (ci-i) .  hijS  +  2d  +  Pow  (ft.) >] q 

=  [Fj  ■  (Bit  (cj- 1) ,  /i^.s)  +  Fj  ■  (Bit  (cj- 1)  ,  2e)  +  FjCj  J;  !  q 
=  Fjfr 1  •  (Bit  (cj_i)  ,  2gijS)  +  Fj  •  (Bit  (cj_i)  ,  2e)  + 

Using  the  fact  that  each  Fj  is  the  product  of  at  most  ( 21V  —  j)  keys,  we  have  that 


[Fj-Cj\a  <  2  [log q]n  B  ■  (nB) 


\2N-j- 1 


+  2  [log  q\  nB  ■  (nB) 


2N-j 


\Fj~  1  '  Cj-l]c 


=  4  [logg]  (nB) 


2N-j+l 


[Fj_i  •  Cj_i]( 


This  yields  the  following  bound  on  the  error  of  cmu|t: 


[FKUK'  '  Cmult]( 


t 

[Ft  ■  ct\  II  <  nE2  +  V]4  [logg]  (nB)2N~J+1 


3= 1 


t 

=  nE 2  +  4  [logg]  (nB)2N+1  ^( nB)~ J 

j=i 

<  nE2  +  8  [log  g]  (nB)2N+l 

<  (nB)2NE2 

where  the  last  inequality  holds  by  the  fact  that  g  =  2n£. 

Furthermore,  notice  that  [Fj  •  Cj\q  =  Fj_iCj_i  (mod  2).  Since  [Fq  ■  cf\q  (mod  2)  =  m  ■  w! ,  we 
can  conclude  that  [Fkuk1  ■  cmuit]g  (mod  2)  =  [Ft  ■  ct]y  (mod  2)  =  m  ■  m! . 

□ 
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Once  we  have  bounded  the  magnitude  of  the  error  coefficients  after  a  homomorphic  operation, 
we  can  bound  the  overall  error  incurred  after  evaluating  a  circuit  of  depth  D.  Starting  with  error 
Eq  <  3 (nB)2,  after  D  levels  of  homomorphic  operations,  the  error  magnitude  can  grow  to  at  most: 

((nB)2NE0)2D  <  (( 3nB)2D<2N+ 2^ 

This  results  in  correct  decryption  as  long  as  D  <  log  log  q  —  log  log  n  —  log  N  —  0(1),  where 
we  use  the  fact  that  B  =  poly(n).  In  particular,  for  N  =  0(ns)  keys  and  q  =  2n'£ ,  we  get 
D  <  (e  —  5)  logn  —  log  log  n  —  0(1). 

□ 


3.3.3  Security 

Recall  from  Section  2.7  that  the  security  of  the  (modified)  NTRU  encryption  scheme  can  be  based 
on  two  assumptions  -  the  RLWE  assumption  and  the  DSPR  assumption.  Recall  further  that  Stehle 
and  Steinfeld  [SSI lb]  showed  that  the  DSPR^i9jX  assumption  is  unconditionally  true  if  n  is  a  power 
of  2,  <p(x)  =  xn  +  1  is  the  nth  cyclotomic  polynomial,  and  x  is  the  discrete  Gaussian  r  for 
r  >  yjq  •  poly(n).  This  allowed  them  to  prove  semantic  security  for  the  modified  NTRU  scheme 
under  the  RLWE<^?)X  assumption  alone. 

Unfortunately,  their  result  holds  only  if  r  >  ^/q  ■  poly(n),  which  is  too  large  to  permit  even  a 
single  homomorphic  multiplication.  To  support  homomorphic  operations,  we  need  to  use  a  much 
smaller  value  of  r,  for  which  it  is  easy  to  see  that  the  DSPR^  giX  assumption  does  not  hold  in  a 
statistical  sense  any  more.  Thus,  it  is  necessary  to  assume  that  the  decisional  small  polynomial 
ratio  problem  is  hard  for  our  choice  of  parameters. 

Additionally,  note  that  the  evaluation  key  ek  contains  elements  of  the  form  \hsT  +  2eT  +  2 T f]q, 
which  can  be  thought  of  as  “pseudo-encryptions”  of  (multiples  of)  the  secret  key  /  under  the 
corresponding  public  key  h.w  The  security  of  the  scheme  must  then  additionally  rely  on  a  “circular 
security”  assumption  that  states  that  semantic  security  of  the  scheme  is  maintained  given  the 
evaluation  key  as  constructed  above.  We  remark  that  this  assumption  can  be  avoided  at  the  cost 
of  obtaining  a  leveled  homomorphic  encryption  scheme  (where  the  size  of  the  evaluation  key  grows 
with  the  depth  of  the  circuits  that  the  scheme  supports). 

Thus,  we  can  base  the  security  of  the  scheme  on  the  DSPR  assumption,  the  RLWE  assumption, 
and  the  “circular  security”  assumption  described  above. 

Lemma  3.3.  Let  n  be  a  power  of  2,  let  4>{x)  =  xn  +  1,  let  q  =  2"”  for  e  e  (0, 1)  and  x  =  with 

r  =  poly(n).  Then  the  somewhat  homomorphic  encryption  scheme  £sh  =  {SH. Keygen,  SH.Enc, 
SH.Dec,  SH.Eval  described  above  is  secure  under  the  DSPR^^  and  RLWE^^  assumptions,  and 
the  assumption  that  the  scheme  remains  semantically  secure  even  given  the  evaluation  key  ek. 

3.4  From  Somewhat  to  Fully  Homomorphic  Encryption 

We  use  a  generalization  of  Gentry’s  bootstrapping  theorem  [Gen09b,  Gen09a]  (see  Section  2.5) 
to  convert  the  multikey  somewhat  homomorphic  scheme  from  Section  3.3  into  a  multikey  fully 
homomorphic  one.  We  modify  Gentry’s  bootstrapping  theorem  and  the  corresponding  definitions 
from  their  original  presentation  to  generalize  them  to  the  multikey  setting. 

10We  point  out  that  these  are  not  true  encryptions  of  the  “message”  2 T f  since  2 T f  is  not  a  binary  polynomial, 
whereas  our  scheme  is  only  equipped  to  correctly  encrypt  polynomials  m  G  J?2- 
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Definition  3.3  (Multikey  Bootstrappable  Schemes).  Let  £  = 

| £(n)  =  (Keygen,  Enc,  Dec,  Eval)}Ar>0  be  a  family  of  multikey  C -homomorphic  encryption 
schemes,  and  let  /a dd  and  /mu|t  be  the  the  augmented  decryption  functions  of  the  scheme  defined  as 

/addC2(ski>  •  •  •  >skAf)  =  Dec(ski, . . .  ,skjv,ci)  XOR  Dec(ski, . . . ,  sk^,  c2) 

/muft2(ski>  •  •  •  >slLv)  =  Dec(ski, . . .  ,skjv,ci)  AND  Dec(ski, . . .  ,skAr,c2) 

Then  £  is  bootstrappable  if  {/addC2,  fmu\t  }Cl  c2  —  -^ame^A  the  scheme  can  homomorphically 
evaluate  /add  and  /mu |t. 

We  now  state  a  generalization  of  Gentry’s  bootstrapping  theorem  to  the  multikey  setting.  Tak¬ 
ing  N  =  1  yields  the  theorem  and  the  definitions  from  [Gen09b,  Gen09a]  and  Section  2.5. 

Theorem  3.4  (Multikey  Bootstrapping  Theorem).  Let  £  be  a  bootstrappable  family  of  multikey  ho¬ 
momorphic  schemes  that  is  also  weakly  circular  secure.  Then  there  is  a  multikey  fully  homomorphic 
family  of  encryption  schemes  £' . 

Unfortunately,  the  somewhat  homomorphic  scheme  described  in  Section  3.3  is  not  bootstrap¬ 
pable.  Recall  that  the  scheme  can  only  evaluate  circuits  of  depth  less  than  elog(ro),  where  e  <  1. 
However,  the  shallowest  implementation  of  the  decryption  circuit  we  are  aware  of  has  depth 
clog IV  •  logn  for  some  constant  c  >  l.We  therefore  turn  to  modulus  reduction,  a  technique  in¬ 
troduced  by  [BVlla]  and  refined  by  [BGV12],  to  convert  our  somewhat  homomorphic  scheme  into 
a  bootstrappable  scheme. 

3.4.1  Modulus  Reduction 

Modulus  reduction  [BVlla,  BGV12]  is  a  noise-management  technique  that  provides  an  exponential 
gain  on  the  depth  of  the  circuits  that  can  be  evaluated,  while  keeping  the  depth  of  the  decryption 
circuit  unchanged.  Informally,  if  Ddec  is  the  depth  of  the  decryption  circuit  of  the  multikey  scheme 
described  in  Section  3.3.1,  then  we  modify  the  scheme  so  that  its  decryption  circuit  is  unchanged 
but  the  scheme  can  now  evaluate  circuits  of  depth  -Ddec.  Hence,  the  new  scheme  can  evaluate  its 
own  decryption  circuit,  making  it  bootstrappable.  Details  follow. 

Let  (h,  f)  be  a  key  pair  and  let  c  be  a  ciphertext  under  public  key  h.  Recall  that  for  decryption 
to  be  successful,  we  need  the  error  [fc]  to  be  equal  to  fc  G  R.  However,  each  homomorphic 
operation  increases  this  error.  Modulus  reduction  allows  us  to  keep  the  error  magnitude  small  by 
simply  scaling  the  ciphertext  after  each  operation.  The  key  idea  is  to  exploit  the  difference  in  how 
the  error  affects  security  and  homomorphism: 

•  The  growth  of  error  upon  homomorphic  multiplication  is  governed  by  the  magnitude  of  the 
noise. 

•  Security  is  governed  by  the  ratio  between  the  magnitude  of  the  error  and  the  modulus  q. 

This  suggests  a  method  of  reducing  the  magnitude  of  the  error  and  the  modulus  by  roughly  the 
same  factor,  thus  preserving  security  while  at  the  same  time  making  homomorphic  multiplications 
“easier”.  In  particular,  modulus  reduction  gives  us  a  way  to  transform  a  ciphertext  c  G  Rq  into 
a  different  ciphertext  £  G  Rp  (for  p  <  q)  while  preserving  correctness:  for  “joint”  secret  key 

/  =  n;=i  fi, 

[. fc\P  =  [fc']q  (mod  2) 

The  transformation  from  c  to  d  involves  simply  scaling  by  ( p/q )  and  rounding  appropriately. 
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Lemma  3.5  ([BGV12]).  Let  p  and  q  be  two  odd  moduli,  and  let  c  6  Rq.  Define  d  to  be  the 
polynomial  in  Rp  closest  to  ( p/q )  •  c  such  that  d  =  c  (mod  2).  Then,  for  any  f  with  ||[/c]?||oc  < 
q/2  -  ( q/p )  •  ||/||1;  we  have 


ifC']p  =  [fc\q  (mod  2) 


and  ||[/c']P||00  <  {p/q)  •  ||[/c]9||00  +  ||/||i 


where  1 1 •  1 1 ^  and  H-^  are  the  and  t\,  respectively. 

Proof.  Let  fc  =  Y17=o  di.xl,  and  consider  a  coefficient  di.  We  know  that  there  exists  k  G  Z  such 
that: 


so  that 

Let  fd  =  E?=o 


=  di  -  kq  e 


q 

2 


(p/g)  ■  di  -  kp€ 
eiX1.  Then  -  ||/ ||x  <  (p/g) 
,  T  P  P] 

e'~kp<=  2  ’  2J 


-f+ii/iii.f-n/ik 

e*  -  di  <  || /IE  Therefore, 
and  \ef\p  =  e*  —  fcp 


This  proves  the  second  part  of  the  lemma.  To  prove  the  first  part,  notice  that  since  p  and  q  are 
both  odd,  we  know  kp  =  kq  (mod  2).  Moreover,  we  chose  d  such  that  c  =  d  (mod  2).  We  thus 
have 


d  —  kp  =  di  —  kq  (mod  2) 
[ei]p  =  [di]q  (mod  2) 
[fc']p  =  [ fc\q  (mod  2) 


□ 

The  beauty  of  Lemma  3.5  is  that  if  we  know  the  depth  D  of  the  circuit  we  want  to  evaluate,  then 
we  can  construct  a  ladder  of  decreasing  moduli  qo, ...  ,qo  and  perform  modulus  reduction  after  each 
operation  so  that  at  level  i  all  ciphertexts  reside  in  Rqi  and  the  magnitude  of  the  noise  at  each  level 
is  small.  In  particular,  this  is  true  at  level  D  so  that  once  the  evaluation  is  complete,  it  is  possible 
to  decrypt  the  resulting  ciphertext  without  decryption  errors.  This  yields  a  leveled  homomorphic 
encryption  scheme.  A  bootstrappable  scheme  can  then  be  obtained  by  setting  D  =  Ddeo  the  depth 
of  the  augmented  decryption  circuit. 

3.4.2  Obtaining  A  Leveled  Homomorphic  Scheme 

We  change  the  somewhat  homomorphic  scheme  from  Section  3.3  to  use  modulus  reduction  during 
the  evaluation.  The  main  changes  to  the  scheme  are  as  follows: 

•  The  scheme  is  now  additionally  parametrized  by  an  integer  D ,  which  is  the  maximum  circuit 
depth  that  it  can  homomorphically  evaluate,  and  a  ladder  of  decreasing  moduli  go, . . .  qo- 

•  We  cannot  use  a  single  key  /  for  all  levels  (at  the  expense  of  assuming  the  circular  security), 
as  in  Section  3.3.  This  is  because  the  public  key  h  depends  on  the  modulus  q  (recall  that 
h  =  2gf~1,  where  /_1  is  the  inverse  of  /  in  Rq).  With  the  new  ladder  of  moduli,  this 
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would  require  that  the  following  two  conditions  be  met  simultaneously:  First,  that  /-1  is 
the  inverse  of  /  in  Rqo  (to  guarantee  correctness  of  decryption)  and  second,  that  h  =  2gf~l 
is  (indistinguishable  from)  uniformly  random  in  Rqo  (to  guarantee  semantic  security).  This 
would  require  making  a  much  stronger  (and  perhaps  false)  hardness  assumption. 

Instead,  key  generation  computes  a  different  key  pair  (hSd\  f  for  each  level  d  G  {0, . . . ,  D}. 

Encryption  uses  pk  =f  h, as  the  public  key,  and  decryption  uses  sk^  =f  / ^  to  decrypt 
a  “level-o?”  ciphertext,  ie.  a  ciphertext  that  is  the  output  of  a  depth-d  circuit  evaluation. 
W.l.o.g.  we  assume  any  ciphertext  to  be  decrypted  is  a  level- D  ciphertext  and  set  the  secret 
key  to  be  sk  =  f^D\ 

Homomorphic  operations  will  ensure  that  if  c,d  are  level-(e?  —  1)  ciphertexts  in  Rqd_1  de- 
cryptable  with  then  cadd  and  cmu|t  are  level-c?  ciphertexts  in  Rqd  decryptable  with 

/(d)- 

•  Relinearization  will  now  serve  two  purposes:  it  will  ensure  that  only  linear  terms  of  keys 
are  needed  to  decrypt  the  resulting  ciphertext,  but  it  will  also  switch  the  level- (e?  —  1)  key 
to  the  corresponding  level- (d)  key.  (Indeed,  relinearization  is  also  known  as  key-switching 
in  the  literature).  Moreover,  note  that  we  must  perform  the  key-switching  step  not  only  for 
quadratic  terms  but  also  for  linear  terms.  Thus,  we  now  perform  relinearization /key- switching 
after  every  homomorphic  operation,  both  addition  and  multiplication,  and  furthermore,  we 
relinearize/key-switch  every  key  in  K  U  K1 ,  instead  of  only  those  in  K  D  K' . 

•  To  perform  the  relinearization/key-switching  step  described  above,  the  evaluation  key  consists 

of  pseudo-encryptions  of  and  (/^_1^)  under  the  public  key  h^d\  for  all  d  G  [D\. 

Note  in  particular  that  we  now  need  pseudo-encryptions  of  the  quadratic  terms  of  the  key.  In 
the  scheme  from  Section  3.3,  relinearization  only  required  pseudo-encryptions  of  (multiples  of) 
/  because  the  term  (Bit  (c) ,  Pow  (/))  only  performed  “partial  decryption”  of  the  ciphertext  c; 
it  computes  fc  but  f2  is  required  to  decrypt  c.  Decryption  of  c  was  completed  at  decryption 
time  when  the  ciphertext  was  multiplied  by  /  once  more,  obtaining  f2c. 

In  our  new  setting,  because  decryption  is  performed  using  a  different  key,  relinearization  needs 
to  “completely  decrypt”  c  with  the  original  key.  For  a  key  in  K  n  K’ ,  this  means  computing 
^ Bit  (c) ,  Pow  ^(/(d-1))2^  =  (/(d_1))^c  .  Since  Pow  is  encrypted  under 

h^d\  the  new  ciphertext  can  be  decrypted  using  fd) . 

Pseudo-encryptions  of  the  linear  terms  of  the  keys  are  also  required  in  order  to  relinearize /key- 
switch  keys  in  KAK ' ,  the  symmetric  difference  of  K ,  K1 . 

3.4.3  Formal  Description 

We  now  give  a  formal  description  of  the  leveled  homomorphic  encryption  scheme  resulting  from 
applying  the  changes  described  above  to  the  somewhat  homomorphic  scheme  £sh  described  in 
Section  3.3. 

•  LH.Keygen(lK)  :  For  every  i  G  {0, . . .  ,D},  sample  ^  and  set  /W  :=  2 +  1  so 

that  /W  =  1  (mod  2).  If  /M  is  not  invertible  in  Rqi,  resample  u W;  otherwise,  let  (/®) 
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be  the  inverse  of  /®  in  Rq.  Let  /i®  d=  2 <7®  (/®)  1  €  Rqi,  and  set 


J  <u 


pk  =f  h{0)  G  A„0  ,  sk  d=  G  R, 


def 


QD 


For  all  i  G  [ZD] ,  sample  s®,  e®,  s®,  e®  <—  flog  <7l  anci  compute 


-y®  :  = 


A®S®  +  25®  +  Pow  f/(i-1)N)l  G  A[Jog<® 


/i®s®  +  25®  +  Pow  (  (/(i_1)) 


J  Qi 
2 


G  A[log‘® 


J  Qi 


Set  ek  d=  r  >  and  output  the  key  tuple  (pk,  sk,  ek). 

t  J  ie[D\ 

LH.Enc(pk,  m)  :  Sample  s,  e  Output  the  ciphertext  c  :=  [hs  +  2e  +  m]go  G  Rqo. 

LH.Dec(ski, . . .  ,skAr,c)  :  Assume  w.l.o.g.  that  c  G  Rqn .  Parse  skj  =  /,  for  i  G  [N].  Let 
H  ■=  [f\  ■  ■  ■  }'n  '  c}qD  G  Rqo.  Output  m'  :=  /x  (mod  2). 

LH.Eval((7,  (ci,  pkl5  eki), . . . ,  (q,  pk^, ek^)):  We  show  how  to  evaluate  an  Gvariate  boolean 
circuit  C  :  {0, 1}£  — >  {0, 1}  of  depth  D.  To  this  end,  we  show  how  to  homomorphically  add 
and  multiply  two  elements  in  {0, 1}.  As  before,  given  two  ciphertexts  c,c',  we  assume  that 
we  also  have  a  set  of  distinct  public  keys  associated  with  each  ciphertext,  and  denote  these 
lists  by  K,K’,  respectively.  The  public-key  set  of  a  fresh  encryption  is  simply  the  set  {pk} 
containing  the  public  key  under  which  it  was  encrypted.  For  convenience,  in  our  analysis 
we  sometimes  assume  that  the  set  contains  the  indices  of  the  public  keys  instead  of  the  keys 
themselves. 


—  Given  two  ciphertexts  c,  c  G  Rqd  with  corresponding  public-key  sets  A',  A"',  compute 
c0  =  [c  +  c']qd  G  Rqd  and  let  K  U  K'  =  {pktl, . . . ,  pkit}.  For  j  =  1, . . .  ,r,  parse  eki;j  = 

1 7;^  i  Cf  1  and  compute 

l  li  li  J  Se[D] 


a  = 


Bit  (cj-_i) ,  7J®0  )  ^ 


G  R, 


q  d 


Finally,  reduce  the  modulus:  let  cadd  be  the  integer  vector  closest  to  (qd+i/Qd)  ■  ct  such 
that  cadd  =  ct  (mod  2).  Output  cadd  G  Rqd+1  as  an  encryption  of  the  sum  of  the 

underlying  messages.  Output  the  set  A"add  =f  K  U  K ’  as  its  corresponding  public-key 
set. 


—  Given  two  ciphertexts  c,  c  G  Rqd  with  corresponding  public-key  sets  A',  A"',  compute 
c0  =  [c  +  c']qd  G  Rqd  and  let  K  U  K'  =  {pkn, . . . ,  pkit}.  For  j  =  1, . . .  ,r,  parse  eki;j  = 

j  7® .  C;  '1 1  and  compute  c,  as  follows: 

l  ‘j  J  se[D]  J 

*  If  pkj.  G  A'O  K'.  let 


c;  = 


Bit  (cj-i)  ,  7ijd)) 


G  R, 


J  <? 


id 
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*  Otherwise,  let 


d  = 


Bit(cj_i),cJf) 


£  R 


J  q 


Qd 


Finally,  reduce  the  modulus:  let  cmu|t  be  the  integer  vector  closest  to  ((Jd+i  / (id)  ■  Q  such 
that  cmu|t  =  ct  (mod  2).  Output  cmu|t  £  Rqd+1  as  an  encryption  of  the  product  of  the 

underlying  messages.  Output  the  set  Kmu |t  =f  K  U  K'  as  its  corresponding  public-key 
set. 


Leveled  Homomorphism.  We  can  now  show  the  following  lemma,  characterizing  the  circuits 
and  number  of  keys  that  the  scheme  can  handle  in  evaluation. 

Lemma  3.6.  Let  x  is  fl  B-bounded  distribution  for  B  =  poly(n),  let  qo  =  2n~  for  e  £  (0, 1)  and  for 
d  £  [D\,  let  qu-i/qd  =  8n(nB)2N+2.  Then  the  encryption  scheme  £|_h  =  (LH. Keygen,  LH.Enc,  LH. Dec, 
LH.Eval)  described  above  is  multikey  homomorphic  for  N  keys  and  circuits  of  depth  D  as  long  as 
ND  =  O  ( ne /  log  n) . 

Proof.  We  claim  that  for  all  d  £  {0,...,_D},  the  error  of  a  level- cZ  ciphertext  is  bounded  by 
E  =f  (l/2n)  •  (qd-i/qd)  =  4 (nB)2N+21  and  prove  it  by  induction.  The  base  case  follows  im¬ 
mediately  since  the  error  of  a  freshly  encrypted  ciphertext  is  bounded  by  3 (nB)2  <  4 (nB)2N+2 . 

We  now  turn  to  the  inductive  step.  Let  c,  d  be  level- (d  —  1)  ciphertexts  with  corresponding 
public  key  sets  K.  K' .  The  inductive  hypothesis  tells  us  the  error  in  c  and  d  is  bounded  by  E.  Using 
the  same  analysis  as  in  the  proof  of  Lemma  3.2,  we  can  show  that  relinearizing  all  keys  in  K  U  K' 
generates  an  additive  error  less  than  8  [ log  q(i  \  ( nB)2N+1  <  (nB)2N+21  where  we  used  the  fact  that 
Qd  <  Qo  =  2n  for  e  <  1.  Recall  that  ct  is  the  ciphertext  obtained  in  a  homomorphic  operation  after 
relinearization  has  been  completed  but  before  modulus  reduction  is  performed.  Then: 

•  In  a  homomorphic  addition,  the  error  of  ct  is  bounded  by  2 (nB)N E  +  (nB)2N+2 .  By 
Lemma  3.5,  the  error  of  cadd  is  bounded  by: 


Qd 
hd- 1 


(2  (nB)NE  +  (nB)2N+2)  + 


i< 


2  {nB)N  E  +  (nB)2N+2 


2  nE 


+  nB 


2  (nB)N  E  n\2N+2  n 
<  - - - h  ( nB)2N+ 2  +  nB 


< 


2  nE 
(■ nB)N 


n 


+  (nB)2N+2  +  nB 


<  4 (nB) 


2N+2  _ 


=  E 


In  a  homomorphic  multiplication,  the  error  of  ct  is  bounded  by  nE2  +  ( nB)2N+ 2 .  By 
Lemma  3.5,  the  error  of  cmu|t  is  bounded  by: 


< Id 
qd- 1 


[nE2  +  (nB)2N+2)  + 


i< 


nE2  +  (nB)2N+2 


2  nE 


+  nB 


< 


nE2 


+  2  (nB) 


2N+2 


2nE 

E  E  „ 

< - 1 - =  E 

~  2  2 
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This  concludes  the  inductive  step  and  the  proof  that  ciphertexts  of  all  levels  have  error  at  most  E. 
To  correctly  decrypt  a  level- D  ciphertext,  we  must  have  that 

/  d\ 27V+2  _  p  ^  Qd  ^  _ Qo _  _  _ 2^ _ 

1  ’  2  2(8  n{nB)2N+2)D  2(8  n(nH)2JV+2)D 

which  yields  the  theorem  statement:  ND  =  O  (n£/logn).  □ 

Security.  As  in  Section  3.3,  the  security  of  the  scheme  £|_h  can  be  based  in  the  DSPR<^  g  x  and 
RLWE^q^.  assumptions.  However,  unlike  in  Section  3.3,  we  do  not  need  to  assume  circular  security 
of  the  encryption  scheme.  This  is  due  to  the  fact  that  the  evaluation  key  consists  of  pseudo¬ 
encryptions  of  (multiples  of)  and  under  a  different  public  key  h^d\  for  all  d  G  [D\. 

Semantic  security  even  given  the  evaluation  key  can  then  be  established  by  a  hybrid  argument  that 
converts  all  pseudo-encryptions  in  the  evaluation  key,  one-by-one,  to  uniform  elements  in  Rq. 

Lemma  3.7.  Let  n  be  a  power  of  2,  let  (j){x)  =  xn  +  \,  let  q  =  2nr  for  e  G  (0, 1)  and  x  =  E>zn,r  with 
r  =  poly(n).  Then  the  multikey  leveled  homomorphic  encryption  scheme  £|_h  =  (LH. Keygen,  LH.Enc, 
LH.Dec,  LH.Eval)  described  above  is  secure  under  the  DSPR^i?!X  and  RLWE^i9jX  assumptions. 

3.4.4  Multikey  Fully  Homomorphic  Encryption 

To  convert  the  leveled  homomorphic  encryption  scheme  described  in  Section  3.4.2  into  a  fully 
homomorphic  scheme,  we  use  the  multikey  bootstrapping  theorem  (Theorem  3.4).  First,  we  show 
an  upper  bound  on  the  depth  of  the  decryption  circuit  and  show  that  the  scheme  is  bootstrappable. 

Lemma  3.8.  The  N -key  decryption  circuit  of  the  leveled  homomorphic  encryption  scheme  described 
above  can  be  implemented  as  a  polynomial-size  arithmetic  circuit  over  GF( 2)  of  depth  0(logN  ■ 
(log  log  qD  +  log  n)). 

Proof.  The  decryption  circuit  for  a  ciphertext  encrypted  under  N  keys  can  be  written  as 

N 

Dec  (/!,..., /at,  c)  =  c  ■  JJ/i 

i= 1 

Multiplying  two  polynomials  over  Rqo  can  be  done  using  a  polynomial-size  Boolean  circuit  of  depth 
0(loglog<7.D  +  logn)  (see,  e.g.,  [BVlla,  Lemma  4.5]  for  a  proof).  Using  a  binary  tree  of  polynomial 
multiplications,  the  decryption  operation  above  can  then  be  done  in  depth  O (log  AT  •  (log  log  qo  + 
logn)),  as  claimed.  □ 

This  means  that  the  modified  scheme  is  bootstrappable,  and  therefore  applying  the  bootstrap¬ 
ping  theorem  gives  us: 

Theorem  3.9.  Let  x  is  a  B-bounded  distribution  for  B  —  poly(n),  let  qo  =  2n~  fore  G  (0, 1)  and  for 
d  G  [D\,  let  qd-i/qd  =  8 n(nB)2N+2 .  Then,  there  exists  a  multikey  fully  homomorphic  encryption 
scheme  for  N  =  0{ne /  log3  n)  keys,  secure  under  the  DSPR^,^  and  RLWE^^  assumptions,  and  the 
assumption  that  the  leveled  homomorphic  encryption  scheme  £\_ h  =  (LH. Keygen,  LH.Enc,  LH.Dec, 
LH.Eval)  described  above  is  weakly  circular  secure. 
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Proof.  To  apply  the  multikey  bootstrapping  theorem  (Theorem  3.4),  we  require  that  the  depth  of 
the  decryption  circuit  is  smaller  than  the  depth  of  the  circuits  that  the  scheme  can  evaluate.  That 
is,  we  require  that 

log  IV  •  (log  log  qjo  +  log  n)  <  C  •  % 

N  •  log  n 

for  some  universal  constant  C  >  0.  For  N  <  y/C/2  ■  (n£/2/logn),  we  have, 


N  ■  log  n  ■  log  N  ■  (log  log  qo  +  log  n)  <  N 2  •  log  n  ■  ■  (log  log  qo  +  log  n) 


-  9_  n£ 

~  2  log2  n 
<  C  ■  n£  =  C  ■  log  qo 


(1  +  e)  •  log2  7i 


as  required.  □ 

Remark  3.4.  Theorem  3.9  implies  that  for  any  N  e  N,  there  exists  a  multikey  fully  homomorphic 
encryption  scheme  for  N  keys.  This  is  achieved  by  choosing  e'  such  that  n£'  <  \JC /2  •  (n£/2/logn) 
and  setting  n  >  Nl/£  . 

We  emphasize  the  fact  that  bootstrapping  (and  therefore  assuming  weak  circular  security)  can 
be  avoided  at  the  cost  of  obtaining  a  leveled  homomorphic  encryption  scheme. 

4  On-the-Fly  MPC  from  Multikey  FHE 

We  now  show  how  to  construct  on-the-fly  MPC  from  multikey  FHE.  We  first  construct  a  basic 
protocol  that  is  secure  against  semi-malicious  adversaries,  and  then  describe  how  to  modify  the 
protocol  to  obtain  security  against  malicious  adversaries.  As  mentioned  earlier,  the  main  building 
block  of  our  construction  is  multikey  fully  homomorphic  encryption,  defined  and  constructed  in 
Section  3. 

4.1  The  Basic  Protocol 

Let  {fW  =  (Keygen,  Enc,  Dec,  Eval)}Ar>Q  be  a  multikey  fully-homomorphic  family  of  encryption 
schemes.  The  following  construction  is  an  on-the-fly  MPC  protocol  secure  against  semi-malicious 
adversaries.  The  protocol  is  defined  as  follows: 

Step  1  :  For  i  £  [U],  party  Pi  samples  a  key  tuple  (pki? skj, ek*)  <—  Keygen(lK)  and  encrypts  its 
input  Xi  under  pk,:  q  <—  Enc(pk;,  xf).  It  sends  (pkj,  ek;,Cj)  to  the  server  S. 

At  this  point  a  function  F.  represented  as  a  circuit  C,  has  been  selected  on  inputs  for  some 

V  C  U.  Let  N  =  |P|.  For  ease  of  notation,  assume  w.l.o.g.  that  V  =  [IV].  The  parties  proceed  as 
follows. 

Step  2  :  The  server  S  computes  c  :=  Eval(C,  (ci,  pkx,  eki), . . . ,  (cat,  pk^,  ekjv))  and  broadcasts  c  to 
parties  Pi, ... ,  Pn- 

Step  3  :  The  parties  P\,...,Pn  run  a  secure  MPC  protocol  nDECSM  to  compute  the  function 
gc{ sk1;.  ..,skjv)  =f  Dec(ski, . . .  ,skjv,c). 
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We  remark  that  an  upper  bound  on  the  number  of  computing  parties  must  be  known  in  advance. 
This  is  a  direct  consequence  of  the  “leveled”  nature  of  our  multikey  FHE  construction  with  respect 
to  the  number  of  keys. 

4.1.1  Security  Against  Semi- Malicious  Adversaries 

Theorem  4.1.  Let  =  (Keygen,  E  nc,  Dec,  Eval)}iV>0  be  a  multikey  fully-homomorphic  encryp¬ 

tion  scheme,  and  let  IIDECSM  be  an  N -party  MPC  protocol  for  computing  the  decryption  function 
gc(ski, . . . ,  sk/v)  =f  Dec(ski, . . . ,  skv,  c).  If  £  is  semantically  secure,  and  nDECSM  is  secure  against 
semi-honest  adversaries  corrupting  t  <  N  parties,  then  the  above  construction  is  an  on-the-fly 
MPC  protocol  secure  against  (static)  semi-malicious  adversaries  corrupting  t  parties  and  possibly 
the  server  S. 

Proof.  We  prove  that  the  protocol  is  correct  and  secure,  and  that  it  satisfies  the  performance 
requirements  of  an  on-the-fly  protocol. 

Correctness:  Correctness  follows  directly  from  the  correctness  properties  of  homomorphic  evalu¬ 
ation  and  the  MPC  protocol  nDECSM  for  decryption. 

Performance:  By  compactness  of  evaluation,  we  know  that  c  is  independent  of  \C\.  This  means 
that  the  communication  complexity  and  the  computation  time  of  the  parties  is  independent 

°f  In¬ 
security:  We  show  security  for  the  case  when  the  server  is  corrupted;  the  case  when  the  server 
is  honest  is  analogous.  Let  ASM  be  a  real-world  semi-malicious  adversary  corrupting  t  clients 
and  the  server.  Recall  that  for  security,  we  only  need  to  consider  adversaries  corrupting  a 
subset  T  of  the  parties  Pi, ,  Pjv  involved  in  the  computation.  Thus,  we  assume  t  <  N,  let 
T  C  [N]  be  the  set  of  corrupted  clients,  and  let  T  =  [IV]  \T. 

We  construct  a  simulator  5SM  as  follows.  The  simulator  receives  the  inputs  of  the  corrupted 
parties,  {xi\i&T  and  runs  ASM  on  these  inputs  {xi}i(-T.  It  simulates  the  messages  for  all 
honest  parties  in  the  protocol  execution  with  ASM  by  sampling  all  key  tuples  correctly,  but 
encrypting  0  instead  of  the  honest  input  Xi  (which  it  doesn’t  know).  In  Step  3,  it  runs  the 
simulator  <Sj^ec  f°r  the  protocol  IIDECSM. 

Step  1:  For  non-computing  parties  i  €  {N  +  1, . . . ,  U}  and  for  honest  parties  i  G  T,  5SM 
computes  (pkj,-,ekj)  4—  Keygen(lK)  honestly  and  computes  ct  4—  Enc(pkj,0).  For  each 
party  Pi,  the  simulator  sends  (ct,  pk,:,  ek,)  to  ASM  on  behalf  of  Pt. 

At  the  end  of  this  round,  it  reads  from  ASM’s  witness  tape  the  secret  keys  {ski}igT  and 
the  inputs  {xi}ieT.  The  simulator  sends  these  inputs  to  the  trusted  functionality  P  and 
receives  the  output  y  =  fix i, . . . ,  xn ),  where  Xi  =  Xi  for  honest  inputs  i  G  T 

Step  2  :  The  simulator  receives  c  from  MSM  as  the  server’s  broadcast  message. 

Step  3:  The  simulator  5SM  runs  the  simulator  for  the  decryption  protocol  (interact¬ 

ing  with  ASM).  When  <Sj^Ec  queries  the  ideal  decryption  functionality  with  secret  keys 

<  ski  r  -  £SM  returns  y. 

I  J  i&T 
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Output:  The  simulator  receives  the  output  of  the  corrupted  parties  from  ASM,  and  returns 
these  as  its  output. 

Q 

We  prove  that  IDEALjf  :Ssm(x)  ~  REALnsM,^sM(.'c)  via  a  series  of  hybrids. 

Hybrid  0:  This  is  the  real-world  execution  of  the  protocol. 

Hybrid  1:  We  change  how  Step  3  is  performed.  Instead  of  executing  the  protocol  IIDECSM 
where  honest  parties  use  their  individual  secret  keys,  we  run  the  simulator  5™  (in¬ 
teracting  with  ASM).  When  <Sj^(E  cb161'!613  the  ideal  decryption  functionality  with  secret 

keys  <  skj  r  ,  we  return 
1  J  i£T 

V  =  <?c(ski, . . . ,  skjv)  =  Dec(ski, . . . ,  skN,  c) 

where  skj  =  skj  for  honest  secret  keys  i  £  T.  The  output  of  the  corrupted  parties  is 
defined  to  be  the  output  of  «S^  ,  and  the  output  of  the  honest  parties  is  defined  to  be 

y- 

We  claim  that  Hybrid  0  is  computationally  indistinguishable  from  Hybrid  1  by  the 
security  of  nDECSM.  Indeed,  the  security  of  the  decryption  protocol  nDECSM  guarantees 
that  as  long  as  we  correctly  emulate  the  ideal  decryption  functionality,  the  joint  output  of 
all  parties  is  computationally  indistinguishable  in  a  real-world  execution  of  the  protocol 
with  adversary  ASM  (Hybrid  0),  and  in  an  ideal- world  execution  of  the  protocol  with 
adversary  (Hybrid  1).  We  correctly  emulate  the  ideal  decryption  functionality,  by 

definition. 

Hybrid  2:  We  now  change  how  we  compute  y.  the  value  returned  to  the  simulator  when 
it  queries  the  decryption  ideal  functionality.  Instead  of  computing  y  =  gc(ski  , . . . ,  sk/v)  = 
Dec(ski, . . . ,  sk/v,  c),  we  instead  compute 

V  =  fix  i,  ...,xN) 

where  xt  =  Xj  for  honest  inputs  i  €  T,  and  where  for  corrupt  parties  i  £  T,  we  recover 
Xi  by  reading  ASM’s  witness  tape  at  the  end  of  Step  1. 

We  claim  that  Hybrid  1  and  Hybrid  2  are  identically  distributed.  The  adversary  ASM 
follows  the  protocol  as  specified,  so  in  particular,  it  performs  the  homomorphic  eval¬ 
uation  correctly.  By  correctness  of  multikey  evaluation  we  know  that  c  decrypts  to 
f(x\, . .  ■  ,xn)  when  decrypted  using  the  secret  keys  it  computed  in  Step  1,  {skj}ierv,; 
that  is,  Dec(ski, . . . ,  sk/v,  c)  =  f(x i, . . . ,  xn) 

Furthermore,  because  the  adversary  ASM  follows  the  protocol  as  specified,  we  know 
that  the  secret  keys  it  uses  in  Step  3  are  the  same  as  the^ones  it  computed  in  Step  1, 
i.e.  skj  =  skj  for  all  i  £  T.  We  conclude  that  Dec(ski, . . . ,  sk/v,  c)  =  f(x i, . . . ,  xn). 

Hybrids  3.k  for  k  =  1, . . . ,  N  —  t:  Let  T  =  {H,  •  •  • ,  iN-t}-  In  Hybrid  3 .k  we  change  Cjfc  so 
that  instead  of  encrypting  Xik  it  now  encrypts  0.  More  formally,  in  Hybrid  3.k  we  have: 

K  ^  En<pk*i'°')}j<k  >  {c^  ^  Enc(Pkb’xb)}.>fe 
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For  ease  of  notation  we  let  Hybrid  2  be  Hybrid  3.0.  We  claim  that  the  view  of  ASM 
in  Hybrid  3.k  is  indistinguishable  from  its  view  in  Hybrid  3 .{k  —  1)  by  the  semantic 
security  of  £  under  public  key  p kifc.  Indeed,  now  that  we  run  the  simulator  in 

Step  3  instead  of  the  real  decryption  protocol,  the  secret  key  sk*fc  is  only  used  to  encrypt 
Cik.  So  suppose,  for  the  sake  of  contradiction,  that  there  exists  an  algorithm  V  that 
distinguishes  between  hybrids  3 .k  and  3 .{k  —  1).  We  construct  an  adversary  B  that 
breaks  the  semantic  security  of  £  under  public  key  pk i  .  The  reduction  B  works  as 
follows: 

1.  The  reduction  chooses  arbitrary  {xj}. 

2.  It  receives  (pk,ek)  from  the  semantic  security  challenger  and  sets  pkifc  =  pk  and 
ek ik  =  ek.  Gives  mo  =  0  and  m\  =  xlk  to  the  challenger  and  receives  c  = 
Enc(pk,  mb).  Sets  Cjfe  =  c.  For  all  i  G  T,  i  /  i computes  (pk.;,  •,  ek,;)  4—  Keygen(lK) 
honestly.  For  j  <  k,  computes  ctj  <—  Enc(pkij,0)  and  for  j  >  k,  computes  Cj .  <— 
Enc(pk?j ,  xtj). 

3.  The  reduction  runs  ASM:  for  all  i  £  T  gives  (pkj,ekj,Cj)  to  ASM  on  behalf  of  P%,  and 
receives  c  from  ASM. 

4.  It  reads  from  ASM’s  witness  tape  the  inputs  {xi}ieT  and  runs  the  simulator  5™ 

(interacting  with  ASM).  When  queries  the  ideal  decryption  functionality,  it 

returns  y  =  f(x\, . . . ,  x/v)  where  X{  =  xt  for  inputs  i  £  T. 

5.  The  reduction  then  gives  V  y  as  the  output  of  all  honest  parties,  as  well  as  the 
output  of  5^'k(  . 

6.  Finally,  B  outputs  the  bit  output  by  V. 

When  b  =  0,  B  perfectly  emulates  Hybrid  3 .k,  whereas  if  b  =  1,  B  perfectly  emulates 
Hybrid  3.(k  —  1).  Therefore,  if  T>  can  distinguish  between  Hybrids  3.k  and  3.[k—  1),  then 
B  can  distinguish  between  an  encryption  of  mo  and  an  encryption  of  mi,  contradicting 
the  semantic  security  of  £. 

We  have  proved  that  the  joint  output  in  Hybrid  0  is  computationally  indistinguishable  from 
the  joint  output  in  Hybrid  3. (IV  —  t ).  But  notice  that  the  joint  output  in  Hybrid  3. (IV  —  t )  is 
precisely  IDEALjpi5sm(x),  and  the  joint  output  in  Hybrid  0  is  defined  to  be  REALn  SM  ,_4sm  (x)  . 

Q 

We  conclude  that  IDEALjfi15sm(x)  «  REALipm^si^x),  as  desired. 


□ 


4.2  Achieving  Security  Against  Malicious  Adversaries 

The  protocol  described  in  Section  4.1,  though  secure  against  semi-malicious  adversaries,  is  not 
secure  against  fully  malicious  adversaries.  We  transform  the  protocol  into  one  that  is  secure  against 
malicious  corruptions  in  three  steps: 

1.  First,  we  replace  the  decryption  protocol  in  Step  3  with  one  that  is  secure  against  malicious 
corruptions.  More  importantly,  we  change  the  function  it  computes  to  ensure  that  the  secret 
key  used  in  this  protocol  is  consistent  with  the  public  and  evaluation  keys  that  the  parties 
computed  in  Step  1. 
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2.  Second,  we  add  zero-knowledge  proofs  at  each  step  in  the  protocol,  following  the  AJW  com¬ 
piler  [AJW11,  AJL+12]  (which  is  based  on  the  GMW  compiler  [GMW87]). 

3.  Finally,  in  order  to  maintain  the  performance  guarantees  of  the  scheme,  in  Step  2  we  replace 
the  server’s  proof  with  a  succinct  argument  (not  necessarily  ZK).  This  allows  the  server  to 
prove  that  it  correctly  performed  the  homomorphic  evaluation,  and  the  clients  to  verify  the 
validity  of  the  proof  in  time  that  is  significantly  less  than  the  size  of  the  circuit. 


The  New  Decryption  Protocol.  Our  first  step  in  handling  malicious  attacks  is  to  replace  the 
decryption  protocol  nDECSM  with  one  that  is  secure  against  malicious  adversaries;  we  will  denote 
it  by  nDECMAL.  The  function  being  computed  by  this  protocol  also  needs  to  change  in  order  to 
guarantee  that  the  secret  key  used  by  each  party  is  consistent  with  its  public  and  evaluation  keys: 


9c,pk1  ,eki .....pkj^ekjv  ((^1 ,  Ti)  .  .  .  ,  (skjy,  rjy) ) 
def  f  Dec(ski, . . . ,  skjv,  c)  if  (pkj,  ski,  ek«)  =  Keygen(lK;  n)  Vi  G  [N] 

(  _L  otherwise 

Intuitively,  if  the  protocol  outputs  something  other  than  _L,  then  in  particular  every  corrupt 
party  Pi  “knows”  a  secret  key  skj  that  is  consistent  with  its  public  and  evaluation  keys  (pkj,  ekj).  By 
correctness  of  decryption,  this  binds  Pi  to  the  input  Xi  =  Dec  ^sk,;,  ,  which  by  semantic  security 

of  the  FHE,  must  be  independent  of  the  honest  party’s  inputs. 

We  remark  that  the  proceedings  version  of  this  work  [LTV12]  does  not  change  the  decryp¬ 
tion  function,  but  instead  adds  to  Step  1  a  zero- knowledge  proof  7rGEN  for  the  relation  i?GEN  = 
{  (  (pkj,  ekj)  ,  (skj,rj)  )  |  (pkj,  skj,  ekj)  :=  Keygen(lK  ;  r*)  }.  While  this  guarantees  that  the  pub¬ 
lic  and  evaluation  keys  are  well- formed,  it  does  not  guarantee  that  the  secret  key  used  in  the 
decryption  protocol  in  Step  3  is  consistent  with  the  public  and  evaluation  keys  (pkj,ekj)  created 
and  used  in  Step  1.  This  allows  a  corrupt  party  to  use  a  different  secret  key  sk*  in  Step  3  and 
potentially  change  the  outcome  of  the  decryption.  We  are  therefore  unable  to  prove  security  of 
that  construction.  However,  the  zero-knowledge  proofs  7tgen  can  be  required  as  an  optimization, 
to  guarantee  that  an  honest  server  does  not  accept,  store,  or  compute  on  ciphertexts  that  are 
encrypted  under  malformed  keys  (even  though  the  outcome  of  any  joint  computation  on  such  a 
ciphetext  would  not  be  decryptable  using  protocol  nDECMAL). 

Finally,  we  highlight  the  fact  that  if  the  protocol  nDECMAL  can  implemented  using  the  cloud- 
assisted  protocol  of  Asharov  et  al.  [AJW11,  AJL+12].  Jumping  ahead,  this  yields  a  5-round  on-the- 
fly  MPC  protocol  in  the  CRS-model,  secure  against  malicious  corruptions  of  any  t  <  [AT]  parties 
and  possibly  the  server. 

Adding  Zero-Knowledge  Proofs.  The  second  step  in  our  transformation  is  to  apply  the  AJW 
compiler  [AJW11,  AJL+12]  (based  on  the  GMW  compiler  [GMW87])  to  the  rest  of  the  protocol 
(Steps  1  and  2),  in  order  to  ensure  that  parties  do  not  deviate  from  the  protocol  specifications.  This 
entails  having  each  party  and  the  server  compute  a  zero-knowledge  proof  at  every  round,  proving 
that  their  message  in  that  round  is  well- formed  and  consistent  with  the  protocol  transcript. 

Because  the  well-formedness  of  the  public  and  evaluation  keys  (pkj,  ekj)  is  checked  in  the  de¬ 
cryption  protocol  nDBCMAL,  the  parties  do  not  need  to  compute  a  separate  zero-knowledge  proof  for 
this  statement  (unless  required  for  the  optimization  described  above).  Therefore,  each  party  only 
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needs  to  prove  that  their  ciphertext  Ci  is  well-formed  by  providing  a  non-interactive  zero-knowledge 
(NIZK)  proof  for  the  NP  relation: 

renc  =  |  ^  (pk-,ci)  ,  (xi,Si)  )  |  Ci  =  Enc(pkj,  x\  ;  s*)  } 

We  highlight  the  fact  that  the  proof  tt™0  must  be  non-interactive,  for  reasons  that  will  become 
apparent  shortly.  Informally,  this  proof  will  either  be  broadcast  by  the  server  in  Step  2  for  all 
parties  to  verify,  or  it  will  be  used  as  a  witness  in  the  proof  of  another  NP  relation.  An  interactive 
zero-knowledge  proof  would  not  be  convincing  it  either  of  these  cases  since  a  valid  proof  transcript 
can  always  be  simulated  without  knowing  a  witness  and  without  the  use  of  any  trapdoors. 


Maintaining  Performance  Guarantees.  Unfortunately,  verifying  a  standard  zero-knowledge 
proof  for  the  server’s  computation  in  Step  2  requires  time  proportional  to  the  size  of  the  circuit.  On 
the  other  hand,  this  computation  is  deterministic  and  public;  indeed,  anyone  can  verify  the  validity 
of  the  server’s  broadcast  message  by  performing  the  homomorphic  evaluation  themselves,  albeit  by 
also  computing  in  time  proportional  to  the  size  of  the  circuit.  We  solve  this  problem  by  replacing 
the  server’s  proof  with  a  succinct  argument  (not  necessarily  ZK),  that  allows  the  server  to  prove 
that  it  correctly  performed  the  homomorphic  evaluation,  and  the  clients  to  verify  the  validity  of 
the  proof  in  time  that  is  significantly  less  than  the  size  of  the  circuit.  We  offer  several  solutions, 
each  with  its  own  benefits  and  drawbacks. 

Verification  for  Small  Inputs:  We  first  consider  the  case  where  the  ciphertexts  (ci, . . . ,  c.y )  are 
small  enough  to  be  broadcast  to  the  N  parties  in  V,  allowing  communication  complexity  in 
the  online  phase  to  be  linear  in  the  total  input  size  of  the  participating  parties.  In  this  case, 
the  server  will  broadcast  all  ciphertexts  and  proofs  {cj,  7rfNC}jerjv])  the  evaluated  ciphertext  c, 
and  a  succinct  argument  ip  showing  that  it  performed  the  homomorphic  evaluation  correctly. 
The  server  needs  to  convince  the  participating  parties  that  “c  =  Eval(C,  (ci,  pkl5  eki), . . . , 
(cjv,  pkN,  ekjv))” ,  i.e. ,  that  a  deterministic  circuit  of  size  poly(|C'|,  k)  accepts.  For  any  uni¬ 
form  circuit  C  (i.e.,  computable  by  a  poly(K)-time  Turing  machine),  the  following  offer 
poly (ac,  log(IC'D)  communcation  and  verification  efficiency.11 

1.  Use  the  argument  system  of  Kilian  [Kil92,  Kil95],  yielding  interactive  4-round  verifica¬ 
tion.  It  relies  on  expensive  PCPs. 

2.  Use  the  succinct  non-interactive  arguments  (SNARGs  and  SNARKs)  of  Micali  [Mic94], 
Bitansky  et  al.  [BCCT12,  BCCT13]  or  Goldwasser  et  al.  [GLR11]  (see  Section  2.3). 
These  are  non-interactive12  but  are  secure  only  in  the  random  oracle  model  [BR93] 
(in  the  case  of  CS  proofs)  or  hold  in  the  standard  model  but  require  a  non-falsifiable 
assumption  [Nao03].  Some  variants  rely  on  PCPs,  PIR  or  FHE. 

In  case  that  the  evaluation  circuit  is  in  logspace- uniform  NC,  we  have  another  alternative: 

11For  any  given  family  of  C,  \C\  =  poly(ft),  and  thus,  poly(«:,  log(|C|))  =  poly(fc);  but  the  degree  of  this  polynomial 
depends  on  the  circuit  family. 

12In  our  protocol,  each  party  can  run  Gen  in  Step  1  and  send  the  vrs  to  the  server  in  that  step.  Or  in  the  case  of 
CS  proofs,  where  only  a  description  of  a  hash  function  is  required,  this  can  be  added  to  the  CRS  of  the  protocol. 
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4.  Use  the  argument  system  of  Goldwasser  et  al.  [GKR08]  for  a  1-round  solution13.  It  relies 
on  PIR. 

Unfortunately,  we  are  unable  to  use  verifiable  computation  protocols  in  the  pre-processing 
model  (e.g.  [GGP10,  CKV10,  AIK10])  or  SNARGs/SNARKs  where  the  CRS  depends  on  the 
circuit  to  be  computed  or  where  its  size  is  at  least  as  big  as  the  computation,  e.g.  [GrolO, 
Lipl2,  GGPR13,  PHGR13,  Lipl3] .  These  require  the  clients  to  participate  in  a  pre-processing 
phase  where  their  computation  is  proportional  to  the  size  of  the  circuit,  violating  the  perfor¬ 
mance  requirements  of  on-the-fly  MPC.  Moreover,  with  this  pre-processing  step  the  model 
loses  its  dynamic  nature,  where  users  can  compute  many  different  functions  on  their  inputs 
and  can  choose  these  functions  dynamically,  “on-the-fly”.  Indeed,  using  these  solutions  would 
limit  the  parties  to  only  compute  functions  for  which  they  have  already  performed  the  corre¬ 
sponding  pre-processing  work  or  computed  the  corresponding  CRS. 

Verification  for  Large  Inputs:  We  can  make  the  communication  and  verification  complexities 
depend  merely  polylogarithmically  on  the  size  of  the  relevant  inputs  xi, . . .  ,xn.  This  re¬ 
quires  a  succint  argument  system  that  is  a  proof  of  knowledge.  This  is  satisfied  by  Mi- 
cali’s  construction  of  CS  proofs  under  Valiant’s  analysis  [Mic94,  Val08],  and  by  SNARKs 
[BCCT12,  BCCT13].  The  complexity  of  these  arguments  depends  polynomially  on  the  size 
of  the  statement  being  proven,  but  merely  polylogarithmically  on  the  size  of  the  witness  for 
the  statement.  We  thus  move  Cj  from  the  instance  into  the  witness.  To  recognize  the  correct 
c,,  each  party  Pi  remembers  the  digest  of  Cj  under  a  collision- resistant  hash  function  family 
n  =  {Hhk  :  {0,1}*  -»•  {0,1}K}. 

In  the  offline  stage,  every  party  Pi  samples  a  hash  key  hk*  and  computes  the  digest  di  = 
Hhki(Ci).  Party  Pi  then  sends  (cj,  7rfNC,  hkj,  df)  to  the  cloud.  Each  party  PL  remembers  its 
own  (hkj,dj)  pair  but  can  forget  the  potentially  long  x^,  c,,  7rfNC.  In  the  online  stage,  the 
server  broadcasts  (hki,  d±), . . . ,  (hkjv,  d/v)  and  proves  the  following  NP  statement:  “there  exist 
ci,7f™c, . .  .,cn,it™c  such  that  di  =  Hhk.(ci )  and  c  =  Eval(C,  (ci,  pk1;eki), . . . ,  ( cN ,  pk^ekjv)) 
and  7t?nc  is  a  valid  proof” . 

The  construction  is  secure,  since  whenever  the  server  convinces  the  clients,  it  actually  “knows” 
such  ci,7ffNC, . . .  ,CAr,7T™c  which  can  be  efficiently  extracted  from  the  server  (by  the  argu¬ 
ments’  proof  of  knowledge  property).  For  an  honest  party,  the  extracted  c)  must  be  the 
one  originally  sent  by  the  party  (by  the  collision-resistance  of  H).  For  a  corrupt  party,  the 
extracted  c*  must  be  a  valid  ciphertext  (by  the  soundness  of  7rENC)  and  its  plaintext  can  be 
efficiently  extracted  using  the  secret  key  used  by  Pi  in  the  decryption  protocol  in  Step  3. 

4.2.1  Formal  Protocol 

We  now  write  a  formal  description  of  our  construction  of  on-the-fly  MPC,  secure  against  mali¬ 
cious  adversaries,  and  providing  correct  verification  for  large  inputs.  Our  construction  requires  the 
following  building  blocks: 

13The  protocol  has  2  rounds,  but  (as  in  the  case  of  SNARGs  and  SNARKs)  the  first  round  is  a  challenge  that 
is  independent  of  the  language  and  the  statement,  and  can  therefore  be  precomputed  by  the  clients  in  Step  1  of 
our  protocol.  Each  challenge  can  only  be  used  for  one  proof,  so  the  client  must  refresh  the  challenge  after  each 
computation. 
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•  A  semantically-secure  multikey  fully-homomorphic  family  of  encryption  schemes  £  = 
{£W  =  (Keygen,  Enc,  Dec,  Eval)}^. 

•  A  family  of  collision-resistant  hash  functions  TL  =  {i^hk  :  {0, 1}*  — >  {0,  l}K}hk. 

•  A  NIZK  argument  system  nENC  =  (SetupENC,  ProveENC,  VerifyENC,  SimENC)  for  the  NP  relation 
RENC  _  |  (  (pk,  c)  ,  (x,  s)  )  |  c  =  Enc(pk,  x  ;  s)  }. 

•  An  adaptively  extractable  SNARK  system  $  =  (Setup'1’,  Proved  Verify^,  Ext$)  for  all  of  NP. 

•  An  IV-party  MPC  protocol,  secure  against  malicious  adversaries  corrupting  t  <  N  parties, 
for  computing  the  family  of  decryption  functions 

5fc,pk1,eki,...,pkiv,ekjv  ((s^l>  rl )  •  •  •  !  (skiV>  T/v)) 
def  J  Dec(ski, . . . ,  skjv,  c)  if  (pkj,  skj,  ekj)  =  Keygen(lK;  n)  Vi  E  [N] 

1  A  otherwise 

The  protocol  is  defined  as  follows: 

Input:  All  parties  and  the  server  receive  as  input  the  common  reference  string  crsENC  for  the  NIZK 
proof  system  nENC.  If  CS  proofs  are  used  as  the  SNARK  system,  the  (description)  of  the 
random-oracle  hash  function  is  also  given  to  all  parties  and  the  server. 

Step  1  :  For  i  E  [U],  party  Pi  samples  a  key  tuple  (pkj,  skj,  ekj),  encrypts  its  input  Xj,  and  computes 
a  NIZK  showing  that  the  ciphertext  is  well-formed: 

(pkj,  skj,  ekj)  :=  Keygen(lK  ;  n)  ,  Cj  :=  Enc(pkj,Xj  ;  Sj) 

ttenc  4-  ProveENC(  (pkj,  Cj)  ,  (xj,Sj)  ) 

It  also  samples  a  hash  key  hkj  and  computes  the  digest  of  the  ciphertext:  dt  =  H^Jci).  It 
additionally  creates  a  verification  reference  string  and  private  verification  key:  (vrsj,  privj)  <— 
Setup$(lK). 

Party  Pt  sends  the  tuple  (pkj,  ekj,  Cj,  vr^0,  hkj,  dj,  vrsj)  to  the  server,  who  verifies  all  proofs 

IttencI 
V ni  h&[uy 

From  this  point  forward,  party  Pi  can  forget  its  (potentially  long)  input  Xj,  ciphertext  Cj,  and 
proof  7tenc.  It  need  only  remember  its  secret  key  and  key-generation  randomness  (skj,  rj),  the 
hash  key  and  digest  (hkj,dj),  and  its  private  verification  key  privj. 

A  function  F.  represented  as  a  circuit  C,  is  now  selected  on  inputs  {xi}ieV  for  some  V  C  U. 
Let  N  =  \V\.  For  ease  of  notation,  we  assume  w.l.o.g.  that  V  =  [IV]. 

Step  2  :  The  server  S  computes  c  :=  Eval(C,  (ci,  pkl5  eki), . . . ,  (cat,  pkjv,  ekjv))  and  creates  succinct 
arguments  {<Pi}ie[jv]  for  the  NP  language 

L  =  {  {(pkj,ekj,hkj,dj)}je[JV]  |  3  (ci,7rfNC)  ,  ...  ,  ( cn,tt™c )  such  that 

di  =  Hhki(ci)  and 

VerifyENC(  (pkj, 5)  ,7rfNC)  =  1  and 

c  =  Eval(C,  (ci,  pkl5eki), . . . ,  (cN,  pkN,ekN))  } 
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To  compute  <pi,  the  server  uses  the  verification  reference  string  vrs.;.  If  CS  proofs  are  used  as 
the  SNARK  system,  the  server  need  only  compute  a  single  proof  <p  that  can  be  verified  by 
all. 

The  server  broadcasts  (c,  tp±, . . . ,  ipm)  to  all  parties  P\.  ...  .  Pm ,  together  with  the  tuple 
{(pkj,  ek;,  hki,di)}ie[N]. 

Step  3:  Party  Pi  runs  Verify$({(pki,  ek*,  hkj,  di)}i£[Ni  ,  ipf)  to  verify  the  argument  p>i.  If  verification 
is  successful  for  all  partiers,  they  run  an  MPC  protocol  I1DECMAL  to  compute  the  function 

fl'c,pk1,eki,....pkJV,ek^((skl,  ?”l)  .  .  .  ,  (skj\r,  A/v)) 

def  J  Dec(ski, . . .  ,skjv,c)  if  (pkj, skj, ek*)  =  Keygen(lK;  r^)  Vi  G  [N] 

(  T  otherwise 

4.2.2  Proof  of  Security 

Theorem  4.2.  Let  £,  IIDECMAL,  H,  I1ENC,  $  be  as  described  in  Section  4-2.1.  Then  the  above  con¬ 
struction  is  an  on-the-fly  MPC  protocol  secure  against  malicious  adversaries  corrupting  t.  <  N 

parties  and  possibly  the  server  S. 

Proof.  We  prove  that  the  protocol  is  correct  and  secure,  and  that  it  satisfies  the  performance 

requirements  of  an  on-the-fly  protocol. 

Correctness:  Correctness  follows  directly  from  the  correctness  properties  of  homomorphic  evalu¬ 
ation  and  the  decryption  MPC  protocol  I1DECMAL. 

Performance:  The  zero-knowledge  proofs  7t?nc  are  independent  of  C  and  the  size  of  c  is  inde¬ 
pendent  of  \C\  by  compactness  of  homomorphic  evaluation.  Moreover,  the  proof  ip  has  size 
polylogarithmic  in  \C\  and  its  verification  depends  only  polylogarithmically  on  the  size  of  the 
ciphertexts  Ci  (and  therefore  polylogarithmically  on  the  size  of  the  inputs  Xi  as  well).  Thus, 
the  communication  complexity  of  the  protocol  is  polylogarithmic  in  |C|,  and  the  computation 
time  of  each  party  Pj  is  at  most  polylogarithmic  in  \C\  and  the  total  size  of  the  inputs,  and 
polynomial  in  y  and  its  input  X{. 

Security:  We  show  security  for  the  case  when  the  server  is  corrupted;  the  case  when  the  server  is 
honest  is  analogous.  Let  VlMAL  be  a  real-world  semi-malicious  adversary  corrupting  t  clients 
and  the  server.  Recall  that  for  security,  we  only  need  to  consider  adversaries  corrupting  a 
subset  T  of  the  parties  Pi, ... ,  Pm  involved  in  the  computation.  Thus,  we  assume  t  <  N,  let 
T  C  [N]  be  the  set  of  corrupted  clients,  and  let  T  =  [IV] \T. 

We  construct  a  simulator  5MAL  as  follows.  The  simulator  receives  the  inputs  of  the  corrupted 
parties,  {xi}ieT  and  runs  MMAL  on  these  inputs  {xi}ieT.  It  simulates  the  messages  for  all  hon¬ 
est  parties  in  the  protocol  execution  with  VlMAL.  In  Step  1,  it  samples  all  key  tuples  correctly, 
but  encrypts  0  instead  of  the  honest  input  Xi  (which  it  doesn’t  know),  and  computes  simulated 
proofs  7ifN0.  In  Step  2,  it  fixes  an  honest  party  h  and  extracts  the  witness  (c),  7ffNC}j6nvi  °f 
the  argument  (ph-  For  all  corrupted  parties  i  G  T,  the  simulator  extracts  the  corrupted  input 
Xi  from  the  proof  7rfNC,  submits  these  to  the  ideal  functionality  P .  and  obtains  an  output  y. 
In  Step  3,  it  runs  the  simulator  5])',),1'.  f°r  the  protocol  IIDECMAL,  returning  y  when  it  calls  the 
ideal  decryption  functionality.  More  formally: 
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Step  1  :  The  simulator  creates  the  CRS  for  the  NIZK  IIENC,  together  with  a  trapdoor  key 
and  an  extraction  key: 


(crsENC,  tkENC,  extkENC)  <-  SetupENC(lK) 

For  non-computing  parties  i  G  {N  +  1, . . . ,  U}  and  for  honest  parties  i  G  T,  the  simulator 
computes  (pkj,-,ekj)  <—  Keygen(lK)  and  samples  hk*  honestly.  The  simulator  also  runs 
the  verification  setup  honestly:  (vrs*,  privj  <—  Setup<I>(lK). 

The  simulator  computes  an  encryption  of  0  and  simulated  zero-knowledge  proofs: 

d  <-  Enc(pkj,  0)  ,  ttenc  <-  Sim(  tkENC  ,  (pk^Cj)  ) 

It  computes  the  digest  di  =  H^.(ci)  honestly.  For  each  party  Pi,  SMAL  sends  (pki; ek(, a, 
7rfNC,  hk,;,  di,  vrsi)  to  AMAL  on  behalf  of  P%. 

Step  2  :  The  simulator  receives  (c,  <p\, . . . ,  ipj\r)  from  AMAL,  together  with  the  tuples 
{(pkj,  ekj,  hk*,  di)}ie^Ny  The  simulator  verifies  ifi  for  all  honest  parties  i  G  T  and  for 
a  fixed  honest  party  h  G  T,  uses  the  SNARG  extractor  to  extract  witness  {cij,  7ffNC}jgrjvi 
from  tph : 

{ci,nfNC}i£[N]  «-  Ext*  (  {(pkj,  ekj,  hk*,  dj)}ig[Ar]  ,  <ph^ 

It  outputs  _L  if  for  any  i  G  [N],  verification  fails  for  or  7tenc,  or  if  di  /  H^icf).  It  also 
outputs  _L  if  c  /  Eval(C,  (ci,  pkx,  eki), . . . ,  (cjv,  pk^y,  ekjy)),  or  if  ct  /  ct  for  some  honest 
i  G  T. 

Step  3  :  The  simulator  runs  the  decryption  simulator  5^IAL  for  protocol  IIDECMAL  (interacting 
with  AMAL).  When  5j^AEE  d1161'!613  the  ideal  decryption  functionality  with  secret  key  and 

randomness  pairs  <  sk;,  Fj  >  ,  the  simulator  checks  that  Keygen(lK  ;  rf)  =  (pki?  sk*,  ekj) 

l  J  i£T  ~ 

for  all  i  G  T.  If  the  check  fails,  it  outputs  _L.  Otherwise,  it  decrypts  q  with  the  secret 

key  sk*  to  obtain  the  corrupted  input  xt  (if  Dec  ^sk,,  =  T,  it  returns  T): 

Xi  :=  Dec  (skj,c^ 

Finally,  it  submits  inputs  {Si}ieT  to  the  ideal  functionality  P ,  and  obtains  output  y  = 
fix i,...,5?jv),  where  x,;  =  Xi  for  honest  parties  i  G  T.  It  returns  y  to  the  simulator 

^MAL 
ITdec  * 

Output:  The  simulator  receives  the  output  of  the  corrupted  parties  from  5^AE  ,  and  returns  these 
as  its  output. 

Q 

We  prove  that  IDEALjr  ^mal (x)  ~  REALnMAL,^iMAL(x)  via  a  hybrid  argument. 

Hybrid  0:  This  is  a  real-world  execution  of  the  protocol. 

Hybrid  1:  We  change  how  Step  3  is  performed.  Instead  of  executing  the  protocol  IIDECMAL  where 
honest  parties  use  their  individual  secret  keys,  we  run  the  simulator  5^iaee  (interacting  with 
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„4MAL).  When  5^^'  queries  the  ideal  decryption  functionality  with  secret  keys  and  randomness 
,  we  return 

l  J  ieT 

V  =  fllc,pk1,eki,....pkjV,ek]v  ^  rl)  •  •  •  >  (SK/V)  L/V^  ^ 

where  skj  =  skj  and  rt  =  ri  for  honest  parties  !  6  T.  We  define  the  output  of  the  corrupted 
parties  to  be  the  output  of  5^aelc  ,  and  the  output  of  the  honest  parties  to  be  y. 

We  claim  that  Hybrid  0  is  computationally  indistinguishable  from  Hybrid  1  by  the  security 
o/nDECMAL.  Indeed,  the  security  of  the  decryption  protocol  nDECMAL  guarantees  that  as  long 
as  we  correctly  emulate  the  ideal  decryption  functionality,  the  joint  output  of  all  parties 
is  computationally  indistinguishable  in  a  real-world  execution  of  the  protocol  with  adversary 
^mal  (Hybrid  o),  and  in  an  ideal- world  execution  of  the  protocol  with  adversary  5^AL  (Hybrid 
1).  We  correctly  emulate  the  ideal  decryption  functionality,  by  definition. 

Hybrid  2:  Hybrid  2  is  the  same  as  Hybrid  1  except  that  we  use  the  extractor  Extcl>  to  extract  a 
witness  {(Q,  vffNC)}ie[Ar]  from  iph: 

{q,  5rfNC}ie[jv]  <-  Ext4,  (  {(pkj,  ekj,  hkj,  di)}ie^  ,  iph  ) 

We  define  the  output  of  the  protocol  to  be  _L  if  for  any  i  G  [N],  verification  fails  for  if™0  or 
di  /  Hhk,(cj).  We  also  output  _L  if  c  /  Eva^C*,  (ci,  pkl5  eki), . . . ,  (cjv,  pkjv,  ekjy)),  where  c  is 
the  ciphertext  returned  by  „4MAL  in  Step  2.  By  the  adaptive  extractability  property  of  <h,  we 
know  that  this  event  happens  with  negligible  probability.  Therefore,  Hybrid  1  and  Hybrid  2 
are  statistically  close. 

Note  that  we  require  $  to  satisfy  adaptive  extractability  because  the  adversary  is  free  to 
choose  the  statement  of  the  proof  after  it  sees  vrs h- 

Hybrid  3:  In  Hybrid  3,  we  additionally  let  the  output  of  the  protocol  be  _L  if  cj  ^  Ci  for  any 
honest  i  G  T. 

We  claim  that  Hybrid  2  and  3  are  statistically  close  by  the  collision-resistance  of  TL.  Indeed, 
Hybrids  2  and  3  are  identical  except  in  the  case  when  all  previous  checks  pass  but  there  exists 
j  €  T  such  that  c.j  /  Cj.  Let  e  be  the  probability,  conditioned  on  all  other  checks  passing, 
that  there  exists  such  a  j  G  T .  Suppose,  for  the  sake  of  contradiction,  that  e  is  non-negligible. 
Then  we  construct  an  adversary  B  that  breaks  the  collision-resistance  of  7 i.  The  reduction  B 
works  as  follows: 

1.  The  reduction  chooses  arbitrary  inputs  {xi}. 

2.  It  creates  the  NIZK  CRS  honestly:  (crsENC,  •)  <—  SetupENC(lK),  and  runs  ^lMAL  on  inputs 
{xi}i£T  and  crsENC  as  the  CRS. 

3.  For  all  non-computing  parties  and  honest  parties,  it  samples  key  tuples 
(pkj, skj, ekj)  Keygen(lK),  and  encrypts  the  input  correctly:  Cj  Enc(pkj,a;i  ;  sf). 
It  creates  honest  proofs  vrENC  <—  ProveENC(  (pkj,  a)  ,  (xj,Sj)  ).  It  also  runs  the  verifica¬ 
tion  setup  honestly  to  generate  a  verification  reference  string  (vrsj,  •)  <—  Setup4>(lK). 
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4.  When  it  receives  a  hash  key  hk  from  the  collision-resistance  challenger,  the  reduction 
guesses  an  honest  index  i*  T  uniformly  at  random  and  sets  hkj*  =  hk.  For  all  other 
i  ^  i* ,  it  samples  hk*  honestly.  Finally,  for  all  non-computing  and  honest  parties,  it 
computes  the  digest  dj  =  Hb\,H(ci). 

5.  It  sends  {pkj,  ekj,  Cj,  7t?nc,  hkj,  di}ig^  to  „4MAL. 

6.  When  it  receives  a  ciphertext  c  and  proofs  from  *4MAL,  along  with  the  set 

{pkj,  ekj,  hkj,  dj},  it  runs  the  extractor 

{ci,TffNC}ie[N]  <-  Ext$  (  {(pkj,  ekj,  hkj,  dj)}ig[Ar]  ,  <ph  ) 

7.  Finally,  it  submits  Cj*  and  ct*  to  the  collision-resistance  challenger  as  its  collision. 

If  all  previous  checks  pass,  then  in  both  hybrids  we  have  that  H{cj)  =  H(cj )  =  dj.  Therefore 
the  probability  that  B  submits  a  valid  collision  to  the  collision  challenger  is  e/  |T|.  If  e  is 
non-negligible,  then  B  breaks  the  collision-resistance  property  of  the  hash  family  Ti. 

Hybrid  4:  In  Hybrid  4,  we  additionally  let  the  output  of  the  protocol  be  _L  if  Dec(skj,  Cj)  =  _L  for 
any  corrupt  i  &  T.  where  skj  is  the  secret  key  output  by  the  decryption  protocol  simulator 
<S>nAE  and  ct  is  extracted  from  the  succinct  argument  iph,  as  in  Hybrids  2  and  3. 

We  claim  that  Hybrid  3  and  Hybrid  4  are  statistically  close  by  the  soundness  of  the  NIZK 
nENC.  Indeed,  Hybrids  3  and  4  are  identical  except  in  the  case  when  all  previous  checks  pass 
but  there  exists  j  £  T  such  that  Dec(skj,  Cj)  =  _L.  By  correctness  of  decryption,  this  happens  if 
and  only  if  $  ( Xj,Jj )  such  that  Enc(pk j,Xj  ;  Sj)  =  Cj,  or  in  other  words,  if  (pky- ,  Cj)  ^  LENC.  Let 
e  be  the  probability,  conditioned  on  all  other  checks  passing,  that  there  exists  an  index  j  E  T 
such  that  (p kj,Cj)  ^  LENC.  Suppose,  for  the  sake  of  contradiction,  that  e  is  non-negligible. 
Then  we  construct  an  adversary  B  that  breaks  the  soundness  of  nENC.  The  reduction  B  works 
as  follows: 

1.  The  reduction  chooses  arbitrary  inputs  {xi}. 

2.  It  receives  the  CRS  from  the  soundness  challenger,  and  runs  HMAL  on  inputs  {xi}ieT  and 
the  CRS. 

3.  For  all  non-computing  parties  and  honest  parties,  it  samples  key  tuples  (pki5  sk,;,  ek*)  <— 

Keygen(lK),  and  encrypts  the  input  correctly:  c,  Enc(pk bXi  ;  Sj).  It  creates  honest 
proofs  7tenc  <—  ProveENC(  (pki;Cj)  ,  ).  It  also  runs  the  verification  setup  honestly 

to  generate  a  verification  reference  string  (vrs,;,  •)  <—  Setup$(lK). 

4.  It  samples  hk*  honestly  and  computes  the  digest  d*  =  L/hk,(c,;). 

5.  It  sends  {pkj,  ekj,  Cj,  7t?nc,  hkj,  di}ig^  to  „4MAL. 

6.  When  it  receives  a  ciphertext  c  and  proofs  ipi, . . .  ,<pw  from  *4MAL,  along  with  the  set 
{pkj,  ekj,  hkj,  dj},  it  runs  the  extractor 

{cj,  7rfNC}j6[Jv]  e-  Ext$  (  {(pkj,ekj,hkj,dj)}ig[JV]  ,  iph  ) 
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7.  It  runs  the  simulator  <S^AE  (interacting  with  VlMAL).  When  tSj^,AE  queries  the  ideal  de¬ 
cryption  functionality  with  secret  key  and  randomness  pairs  <  skj,?)  >  ,  it  checks  that 

_  l  )  i&T 

(pkj,  skj,  eki)  =  Keygen(lK  ;  rf)  for  all  i  G  [N].  If  this  check  fails,  it  returns  _L.  Otherwise, 
it  chooses  a  corrupt  i*  <—  T  uniformly  at  random  and  submits  7rE*NC  as  its  proof  forgery. 


If  all  previous  checks  pass,  then  in  both  hybrids  we  have  that  Verify  (  (pkj,Ci)  ,  7teNC  )  =  1 
for  all  i  G  [IV]  (see  Hybrid  2).  Therefore,  the  probability  that  B  submits  a  valid  forgery  to  the 
soundness  challenger  is  ej  |T|.  If  e  is  non-negligible,  then  B  breaks  the  soundness  property  of 
the  NIZK  nENC. 


Hybrid  5:  We  now  change  how  we  compute  y.  the  value  returned  to  the  simulator  when  it 

queries  the  decryption  ideal  functionality.  Instead  of  computing 

V  =  3c,pk1,ekll...,pkJV,ekJV  ((ski,ri)  . . . ,  (skN,rN^y  we  first  check  if  (pki;  skj,  ekj)  = 
Keygen(lK  ;  rf)  for  all  i  G  T.  If  this  check  fails,  we  return  _L;  otherwise  we  decrypt  each 
malicious  c,;  and  evaluate  /  on  the  resulting  inputs: 


V  = 


f(x i,  •  •  • ,  xN )  If  (pkj,  ski,  e^)  =  Keygen(lK  ;  rf)  Vi  G  T 
_L  Otherwise 


where  X{  :  =  Dec(ski,Ci)  for  i  G  T  and  xt  =  for  i  G  T 

We  claim  that  Hybrid  5  and  Hybrid  4  are  statistically  close.  In  the  case  when  (pkj,  ski,  eki)  7^ 
Keygen(lK  ;  rt)  for  some  i  G  T,  both  hybrids  output  _L.  We  focus  on  the  case  when  this  check 
passes  for  all  parties,  so  that  ski  is  guaranteed  to  be  a  valid  secret  key  for  its  corresponding 
public  and  evaluation  keys.  In  both  hybrids,  we  know  that  c  =  Eval(C,  (ci,  pkl5  eki),  •  •  • , 
(civ;  pkjvi  ekjv))  (see  Hybrid  2).  By  soundness  of  nENC,  we  know  that  all  c)’s  are  fresh 
encryptions,  so  by  correctness  of  multikey  evaluation  we  know  that  Dec(ski, . . . ,  sk/v,  c)  = 
where  we  define  ski  =  ski  for  all  honest  i  G  T  and  X{  :=  Dec(ski,Ci)  for  all 
i  G  [N].  Furthermore,  since  q  =  Ci  for  all  honest  i  G  T  (see  Hybrid  3),  we  know  that  a y  =  Xi 
for  all  i  G  T  by  correctness  of  decryption. 

Hybrid  6:  In  Hybrid  6,  we  change  how  we  compute  the  proofs  7tenc.  Instead  of  computing  real 
proofs,  we  use  the  NIZK  simulator  to  create  simulated  proofs: 

KNC  <-  Sim(  tkENC  ,  (pki,ci)  )},eT 


We  claim  that  Hybrid  6  is  computationally  indistinguishable  from  Hybrid  5  by  the  unbounded 
zero-knowledge  property  of  the  proof  system  nENC.  Suppose,  for  the  sake  of  contradiction,  that 
there  exists  an  algorithm  V  that  distinguishes  between  hybrids  5  and  6.  We  construct  an 
adversary  B  that  breaks  zero-knowledge  of  nENC.  The  reduction  B  works  as  follows: 

1.  The  reduction  chooses  arbitrary  inputs  {x^}. 

2.  It  receives  the  CRS  from  the  zero-knowledge  challenger,  and  runs  VlMAL  on  inputs  {xi}ieT 
and  the  CRS. 
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3.  For  all  non-computing  parties  and  honest  parties,  it  samples  key  tuples  (pkj,  sk*,  ek*)  <— 
Keygen(lK),  and  encrypts  the  input  correctly:  Cj  <—  Enc(pk,:, Xi  ;  st).  It  creates  proofs 
7rfNC  by  calling  its  oracle  with  statement  (pkj,  cf)  and  witness  (xi,  Si ).  It  also  runs  the  ver¬ 
ification  setup  honestly  to  generate  a  verification  reference  string  (vrs*,  •)  <—  Setup<J>(lK). 

4.  It  samples  hkj  honestly  and  computes  the  digest  di  =  Rhk;(ci)- 

5.  It  sends  {pkj,  ekj,  Cj,  7t?nc,  hkj,  to  AMAL. 

6.  When  it  receives  a  ciphertext  c  and  proofs  cpi, . . .  ,(pw  from  *4MAL,  along  with  the  set 
{pkj,  ekj,  hkj,  di},  it  runs  the  extractor 

{ci,TrfNC}ie[N]  «-  Ext4,  (  {(pkj,ekj,hkj,dj)}jS[JV]  ,  cph  ) 

7.  It  runs  the  simulator  5{JAE  (interacting  with  „4MAL).  When  tS{('AE  queries  the  ideal  de¬ 
cryption  functionality  with  secret  key  and  randomness  pairs  <  skj,?)  >  ,  it  checks  that 

_  l  J  ieT 

(pkj,  skj,  ekj)  /  Keygen(lK  ;  rf).  If  this  check  fails,  it  returns  _L;  otherwise  it  returns 
y  =  f(x i, . . . ,  xn)  where  xt  :=  Dec(skj,  q)  for  j  G  T  and  Xj  =  Xi  for  i  G  T. 

8.  At  the  end  of  the  protocol,  it  forwards  AMAL’s  output  to  V  as  the  output  of  the  corrupt 
parties,  and  gives  y  to  V  as  the  output  of  the  honest  parties. 

When  jB’s  oracle  is  the  prover  oracle  V(-),  then  B  perfectly  emulates  Hybrid  5,  whereas  if  the 
oracle  is  the  simulation  oracle  STJV[t^(  ),  B  perfectly  emulates  Hybrid  6.  Therefore,  if  T>  can 
distinguish  between  Hybrids  5  and  6,  then  B  breaks  the  zero-knowledge  property  of  nENC. 

Hybrids  7.k  for  k  =  1, . . . ,  N  —  t:  Let  T  =  {ii, . . . ,  ijv-t}-  In  Hybrid  7 .k  we  change  Cjfe  so  that 
instead  of  encrypting  Xik  it  now  encrypts  0.  More  formally,  in  Hybrid  7 .k  we  have: 


For  ease  of  notation  we  let  Hybrid  6  be  Hybrid  7.0.  We  claim  that  the  view  of  AMAL  in  Hybrid 
7.k  is  indistinguishable  from  its  view  in  Hybrid  7.{k  —  1)  by  the  semantic  security  of  £  under 
public  key  pk ifc.  Indeed,  now  that  we  run  the  simulator  5nAELc  in  Step  3  instead  of  the  real 
decryption  protocol,  the  secret  key  skjfe  is  only  used  to  encrypt  C{k .  So  suppose,  for  the  sake 
of  contradiction,  that  there  exists  an  algorithm  V  that  distinguishes  between  hybrids  7.k  and 
7.(k  —  1).  We  construct  an  adversary  B  that  breaks  the  semantic  security  of  £  under  public 
key  pkjfc.  The  reduction  B  works  as  follows: 

1.  The  reduction  chooses  arbitrary  {xi}. 

2.  It  creates  the  NIZK  CRS  honestly:  (crsENC, tkENC)  <—  SetupENC(lK),  and  runs  AMAL  on 
inputs  {xi}ieT  and  crsENC  as  the  CRS. 

3.  It  receives  (pk,  ek)  from  the  semantic  security  challenger  and  sets  pkj  =  pk  and  ekjfc  =  ek. 
Gives  mo  =  0  and  m\  =  Xik  to  the  challenger  and  receives  c  =  Enc(pk,  m&).  Sets  Cik  =  c. 
For  all  i  6  T,  i  /  i^,  computes  (pkj,-,  ekj)  Keygen(lK)  honestly.  For  j  <  k,  computes 
Cij  <—  Enc(pkjj,0)  and  for  j  >  k,  computes  ct;j  <—  Enc(pkij , x^). 
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4.  For  all  non-computing  and  honest  parties,  it  creates  simulated  proofs  7rfNC  <— 
Sim(  tkENC  ,  (pk i,a)  )  using  the  trapdoor  tkENC.  It  also  runs  the  verification  setup 
honestly  to  generate  a  verification  reference  string  (vrs,,  •)  <—  Setup^(lK). 

5.  It  samples  hk*  honestly  and  computes  the  digest  dn  = 

6.  It  sends  {pkj,  ek,;,  a,  7tenc,  hk,,  to  AMAL. 

7.  When  it  receives  a  ciphertext  c  and  proofs  ipi, . . . ,  <pw  from  AMAL,  along  with  the  set 
{pkj,  ek,,  hkj,  di},  it  runs  the  extractor 

{ci,^rC}ie[N]  Ext$  (  {(Pkt,eki,hki,di)}je[Ar]  ,  <ph  ) 

8.  It  runs  the  simulator  5]{iaee  (interacting  with  AMAL).  When  queries  the  ideal  de¬ 
cryption  functionality  with  secret  key  and  randomness  pairs  <  sk j,r,  >  ,  it  checks  that 

_  l  J  ieT 

(pkj,  skj,  ekj)  Keygen(lK  ;  r,).  If  this  check  fails,  it  returns  _L;  otherwise  it  returns 
y  =  f{x i, . . . ,  xn)  where  xt  :  =  Dec(skj,  c,)  for  j  G  T  and  xt  =  Xi  for  i  £  T. 

9.  At  the  end  of  the  protocol,  it  forwards  AMAL’s  output  to  V  as  the  output  of  the  corrupt 
parties,  and  gives  y  to  V  as  the  output  of  the  honest  parties. 

When  b  =  0,  B  perfectly  emulates  Hybrid  7.k,  whereas  if  b  =  1,  B  perfectly  emulates  Hybrid 
7.{k  —  1).  Therefore,  if  T>  can  distinguish  between  Hybrids  7.k  and  7.(k  —  1),  then  B  can 
distinguish  between  an  encryption  of  mo  and  an  encryption  of  mi,  contradicting  the  semantic 
security  of  £. 

We  have  proved  that  the  joint  output  in  Hybrid  0  is  computationally  indistinguishable  from 
the  joint  output  in  Hybrid  7. (IV  —  t).  Notice  that  the  joint  output  in  Hybrid  7. (IV  —  t)  is  precisely 
IDEAL jp^mal  [x) ,  and  the  joint  output  in  Hybrid  0  is  defined  to  be  REALnsw  ^mai,(x)  .  We  conclude 

Q 

that  IDEAL^5mal(£)  ~  REALnMAL,.4MAL(T),  as  desired.  □ 

4.2.3  Efficient  NIZKs  to  Prove  Plaintext  Knowledge 

The  protocol  described  in  Section  4.2.1  requires  a  NIZK  argument  system  for  the  relation  NP 
relation  RENC  =  {  (  (pk,  c)  ,  (x,s)  )  |  c=  Enc(pk,  x  ;  s)  }.  While  it  is  known  how  to  construct 
NIZK  argument  systems  for  all  of  NP  [GOS06,  GOS12],  using  this  construction  requires  expensive 
NP  reductions.  In  this  section,  we  show  how  to  construct  an  efficient  gap  E-protocol  for  RENC  when 
the  encryption  scheme  is  the  NTRU-based  multikey  FHE  scheme  from  Section  3.4.  By  Theorem  2.2 
this  suffices  to  construct  an  efficient  NIZK  argument  system  for  RENC  in  the  random  oracle  model. 
Our  construction  follows  the  ideas  of  Asharov  et  al.  [AJW11,  AJL+12]. 

Recall  that  in  the  aforementioned  FHE  scheme,  a  ciphertext  has  the  form  c  =  [hs  +  2e  +  m] 
for  public  key  h,  message  m  €  {0, 1},  and  ring  elements  s,e,  sampled  from  B-bounded  distribution 
X ■  We  construct  a  gap  E-protocol  for  proving  that  “c  encrypts  0  under  Ii” .  That  is,  we  show  a 
protocol  for  relation 

RENC  =  {  (  (/i,  c)  ,  (s,  e)  )  |  c=[hs  +  2e]q  A  (ML , <  B  } 

with  corresponding  language  Lqnc.  By  Theorem  2.1,  we  can  then  construct  a  gap  E-protocol  for 
RENC  using  an  OR  protocol  to  prove  that  “c  €  L™0  or  c  —  1  £  LqNC  ” . 
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ENC 


uses 


Gap  E-protocol  for  Encryptions  of  0.  Our  construction  of  a  gap  E-protocol  for  Rf 
the  same  parameters  as  the  encryption  scheme:  degree  n,  polynomial  <f(x)  =  xn  +  1,  modulus  q , 
and  distribution  y  =  over  the  ring  R  =  Z [x\  /  (4>(x)) .  It  is  additionally  parametrized  by  a 

distribution  y  =  over  R,  such  that  2^^logKV  <  r  <  q/A^/n  —  r.  To  simplify  notation,  we 

recall  from  Lemma  2.7  that  y  is  B-bounded  and  y  is  B-bounded  for  B  =  r^/n.  and  B  =  r^fn.  By 
our  choice  of  r,  this  means  that  B  +  B  <  q/ 4. 

To  formally  describe  our  protocol,  we  must  first  define  relations  Rz |<  and  Bsouncj.  We  set  Bzy  = 
nd  to  be  essentially  the  same  as  BqNC,  differing  only  in  the  requirement  set  for 

ell  : 


BqNC  and  set  B. 


I ® II oo  and 


R. 


sound 


=  \  (  (h,c)  ,  (s,e)  )  \  c  =  [hs  +  2e]  A 


loo  ’ 


I  <  4 

loo  — 


B  +  B 


)} 


Note  that  since  B  >  B,  we  have  Rz\<  C  Bsound.  We  can  now  describe  our  construction: 


•  P\  ((h,  c),  ( s ,  e))  :  Samples  s,  e  <—  y  and  outputs  a  =  [hs  +  2e\q  and  st  =  (S,  s). 

•  Vi ((/i,  c))  :  Outputs  a  random  bit  b  «—  {0, 1}. 

•  P-2(st,  b )  :  Parses  st  =  (S,  s)  and  outputs  z  =  [S+  bs]  . 

•  Vz ((h,  c),  a,  b ,  z)  :  Computes  e  =  [(a  +  6c)  —  and  outputs  1  if  and  only  if  <  B  +  B, 

Iklloo  <  2  ^B  +  B^j ,  and  e  is  even. 

Theorem  4.3.  Let  Bzk,Bsound  be  the  NP  relations  described  above.  The  construction  (P,  V)  with 
P  =  (Pi,  P2)  and  V  =  (Vi,  V2)  is  a  gap  T-protocol  for  (Rz k,  PSOund)- 

Proof.  We  show  that  the  above  construction  satisfies  the  completeness,  special  soundness,  and 
HVZK  properties. 

Completeness:  Let  ((h,  c),  (s,  e))  G  L^,  and  let  (a,  6,  z)  be  a  transcript  for  protocol  (P,  V).  Then 
s  =  [(a  +  be)  —  hz]  =  [his  +  2e  +  bhs  +  26e  —  /is  —  ti6s]?  =  [2(e  +  6e)]y  =  2(e  +  be) 

where  the  last  inequality  holds  by  the  fact  that  B  -\-  B  <  q/ 4.  It  is  clear  that  e  is  even,  and 
its  coefficients  are  bounded  by  2 (B  +  B).  Furthermore,  z  =  s  +  6-s,  so  <  B  +  B,  as 

required. 

Special  Soundness:  Let  (h,  c)  be  a  public  key  and  ciphertext  pair,  and  let  (a,  0,  20)  and  (a,  1,2:1) 
be  two  accepting  transcripts.  The  extractor  Ext  outputs  (s*,e*),  where  s*  =  zi  —  zo  and 
e*  =  [c  -  hs\ 


We  now  argue  that  ((h,  c),  (s*,e*))  G  PSound-  By  construction,  we  have  that  c  =  [6-s*  +  2e*]q. 
It  remains  to  show  the  bound  on  the  size  of  the  coefficients  of  s*  and  e*.  Since  (a,  0,  zo)  and 
(a,  1,2:1)  are  accepting  transcripts,  we  know  that  H^olloo  ,  II II 00  —  ^  +  B,  so  that  || s* < 
2  (B  +  B). 

We  now  bound  e*.  Let  £0  =  [a  —  hzo]q  and  £1  =  [(a  +  c)  —  hz-f\  .  Since  (a,  0, 2:0)  and  (a,  1,  z  1) 
are  accepting  transcripts,  we  know  that  1 1 £q 1 1 ^  ,  ||£i  Hqo  <  2  (b  +  B^  and  both  £q  and  £1  are 
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even.  Furthermore,  £\  —  £o  =  [(a  +  c)  —  hz\  —  (a  —  hzo)\q  =  [c  —  h(z\  —  zo)\q  =  e* .  This 
means  that  e*  is  even  since  both  £o  and  e i  are  even,  and  we  also  have  that  ||e*||  <  H^olloo  + 

Ikilloo  <  4  (^B  +  B^j,  as  desired. 

Honest- Verifier  Zero-Knowledge:  Let  ((h,c),(s,e))  E  Lzy  and  let  b  E  {0,1}.  The  simulator 
Sim  chooses  z' ,e'  <—  x,  sets  a'  =  hz'  +  2e'  +  be,  and  outputs  ( a! ,b,z ').  We  argue  that  the 
output  of  Sim  is  statistically  close  to  the  transcript  ( a,b,z )  of  an  execution  of  the  protocol 
( P ,  V).  In  a  real  transcript,  we  have  a  =  hs  +  2e  and  z  =  s  +  as.  In  the  simulated  transcript, 
we  have  a'  =  h(z!  +  bs)  +  2(e'  +  be).  If  b  =  0,  then  the  distributions  are  identical  because 
s,  e,  z' ,  e'  are  all  sampled  from  the  same  distribution  x-  On  the  other  hand,  if  b  =  1,  then  the 
distributions  are  statistically  close  by  Corollary  2.9. 


□ 


Consequences  of  Having  a  Gap.  We  have  shown  how  to  construct  efficient  NIZK  arguments 
for  the  relation  RENC  for  the  NTRU-based  multikey  FHE  scheme  from  Section  3.4.  However,  there 
is  a  gap  in  the  relations  for  which  soundness  and  zero-knowledge  hold:  zero-knowledge  holds  for  an 
honest  prover  with  a  statement  in  Rz^,  but  an  honest  verifier  is  only  convinced  that  the  statement 
is  in  f?sound  2  Rzk-  We  must  show  that  this  gap  does  not  affect  the  correctness  of  our  protocol. 
It  suffices  to  prove  that  the  scheme  is  fully  homomorphic  when  the  error  in  fresh  ciphertexts  is 

Hpf  ~ 

bounded  by  B*  =  4 (B  +  B ). 

Our  analysis  in  Section  3.4  does  not  immediately  guarantee  this,  as  it  sets  B  =  poly(n).  Since 
we  must  have  n  =  poly(/«)  for  efficiency  of  the  scheme,  this  means  B  =  poly(/«).  However  B*  is 
super-polynomial  in  k.  Nevertheless,  we  can  easily  modify  our  parameters  and  analysis  to  guarantee 
that  the  scheme  remains  fully  homomorphic  with  ciphertext  noise  that  is  super-polynomial  in  k. 

The  proof  of  Lemma  3.6  shows  that  the  leveled  homomorphic  scheme  £|_h  described  in  Sec¬ 
tion  3.4.2  is  multikey  homomorphic  for  N  keys  and  circuits  of  depth  D  as  long  as 


(nB*)2N+2  < 


2n" 

2(8  n(nB*)2N+2)D 


which  yields  the  requirement  ND  =  O  (n£/(log  n  +  log  B*)).  We  can  then  follow  the  proof  of 
Theorem  3.9  and  show  that  there  exists  a  multikey  fully  homomorphic  encryption  scheme  for 
N  =  O  ( \J{n£  I  log  n(log  n  +  log  B*))\ .  If  we  set  B  =  2log2  K  ■  B  for  B  =  poly(n)  and  n  >  k,  this  is 


guaranteed  if  N 


since 


n£/(log3  n)  =  0(n£/(logn  •  (logn  +  log2  n)))  =  0(n£ /(log  n  ■  (logn  +  log  B*))) 


(In)Security  in  the  Standard  Model.  We  have  shown  a  NIZK  argument  for  relation  RENC. 
Though  secure  in  the  random  oracle  model,  we  remark  that  care  must  be  taken  if  we  want  to 
hope  for  security  in  the  standard  model.  More  specifically,  since  our  gap  E-protocol  has  only 
constant  soundness,  we  need  to  use  parallel  repetition  for  soundness  amplification.  For  efficiency, 
we  would  like  to  repeat  the  protocol  only  polylog(ft)  many  times  as  this  already  achieves  negligible 
soundness.  However,  Dachnran-Soled  et  al.  [DJKL12,  BDG+13]  have  shown  that  if  we  use  such  a 
small  number  of  repetitions,  the  resulting  NIZK  cannot  be  proven  sound  (in  the  standard  model) 
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via  a  black-box  reduction  to  a  (super-polynomially  hard)  falsifiable  assumption.  Also  see  remarks 
after  Theorem  2.2. 

4.3  Impossibility  of  a  2-Round  Protocol 

We  have  shown  that  there  exists  an  on-the-fly  MPC  protocol  with  a  5-round  online  phase.  We 
now  ask  whether  we  can  achieve  the  optimal  solution  of  having  a  completely  non-interactive  online 
phase.  In  this  section  we  answer  this  question  negatively:  we  show  that  the  existence  of  such  a 
protocol  (secure  against  semi-honest  adversaries)14  implies  general  circuit  obfuscation  as  a  virtual 
black-box  with  single-bit  output,  which  we  know  to  be  impossible  [BGI+01].  Our  techniques  are 
inspired  by  those  of  van  Dijk  and  Jules  [vDJIO]. 

We  begin  by  reviewing  the  definition  of  general  circuit  obfuscation  [BGI+01]. 

Definition  4.1  (Circuit  Obfuscation  [BGI+01]).  A  probabilistic  algorithm  O  is  a  circuit  obfuscator 
if  the  following  three  conditions  hold: 

Functionality:  For  every  circuit  C ,  the  string  0(C)  describes  a  circuit  that  computes  the  same 
function  as  C . 

Polynomial  Slowdown:  There  is  a  polynomial  p  such  that  for  every  circuit  C ,  10(0)1  <  p(\C\). 

“Virtual  Black-Box”  Property:  For  any  PPT  adversary  A,  there  is  a  PPT  simulator  S  such 
that  for  all  circuits  C 


Pr [A[0{C))  =  1]  -  Pr[Sc(l|c|)  =  1]  <  negl(|C|) 


Barak  et  al.  [BGI+01]  show  that  assuming  one-way  functions  exist,  there  does  not  exist  any 
algorithm  O  satisfying  Definition  4.1,  even  if  we  do  not  require  that  O  run  in  polynomial  time. 
Thus,  our  results  imply  that  assuming  one-way  functions  exist,  there  does  not  exist  any  on-the-fly 
MPC  protocol  with  a  non-interactive  online  phase. 

We  now  show  the  connection  between  on-the-fly  MPC  and  obfuscation.  We  consider  an  on- 
the-fly  MPC  protocol  with  a  non-interactive  online  phase,  and  assume  that  only  one  function  is 
evaluated  and  the  function  is  chosen  a-priori,  before  the  start  of  the  protocol  (i.e.  it  does  not 
depend  on  the  offline  stage  messages).  Let  N  be  the  number  of  inputs  of  the  circuit;  without  loss 
of  generality,  we  assume  that  the  computing  parties  are  P\ , . . .  ,Pn-  Note  that  considering  such  a 
restricted  protocol  only  makes  our  impossibility  result  stronger.  A  protocol  like  this  can  be  modeled 
by  efficient  and  possibly  randomized  algorithms:  Ini, ... ,  lnj/,  Compute,  Outi, . . . ,  Outjv,  where: 

•  (di,Ci)  *—  In i(xi):  On  input  Xi,  the  algorithm  In.;  outputs  two  elements,  c;  to  be  sent  to  the 
server  S  and  dt  to  be  kept  by  party  Pt. 

•  (zi, . . . ,  zn)  <—  Compute(C,  ci, . . . ,  cat)  :  On  input  a  circuit  C  and  ci, . . . ,  cat,  which  are  the 
messages  the  server  received  from  parties  Pi, ... ,  Pat,  Compute  outputs  N  elements  z i,  •  •  ■ ,  zm- 
The  server  sends  back  z;  to  party  Pi. 

14Considering  semi-honest  adversaries  instead  of  semi-malicious  or  malicious  adversaries  only  makes  our  result 
stronger. 
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•  y  <—  Out i(zi,di)  :  On  input  Zi  which  was  received  from  the  server,  and  the  auxiliary  informa¬ 
tion  di  output  by  In,,  Out*  computes  the  output  y. 

We  know  from  the  work  of  Halevi,  Lindell,  and  Pinkas  [HLP11]  that  in  the  non-interactive 
setting,  the  server  can  always  evaluate  the  circuit  multiple  times,  keeping  some  parties  inputs  but 
plugging  in  fake  inputs  of  its  choosing  for  the  other  parties.  Thus  we  must  relax  the  definition  of 
security  so  that  when  the  server  is  corrupted,  the  simulator  is  allowed  to  submit  queries  of  the  form 
(S,x),  where  S  is  a  non-empty  subset  of  the  honest  parties  and  x  is  any  input  vector  of  size  n—  |<Sj. 
The  trusted  functionality  evaluates  the  function  on  x  and  the  honest  inputs  in  S.  Furthermore, 
our  result  holds  even  when  the  real-world  adversary  is  only  allowed  to  output  1  bit.15 

Theorem  4.4.  If  there  exists  an  on-the-fly  MPC  protocol  with  a  non-interactive  online  phase  that 
computes  all  efficiently  computable  functions  with  2  inputs,  and  is  secure  against  semi-honest  ad¬ 
versaries  (with  the  relaxed  definition  of  security),  then  there  exists  a  circuit  obfuscator  O  satisfying 
Definition  f.l. 

Proof.  We  start  by  defining  a  family  of  “meta-circuits”  For  a  fixed  m  £  N, 

is  such  that  given  a  circuit  C  of  size  m  and  bit-string  x,  it  evaluates  C  on  x  and  outputs  C( x), 
i.e.  F^m\C,x)  =  C(x).  van  Dijk  and  Juels  [vDJIO]  show  to  construct  a  family  of  meta-circuits 
such  that  for  all  m  £  N,  |F^|  =  0(m2). 

We  now  show  how  to  construct  a  circuit  obfuscator  O  using  an  on-the-fly  MPC  protocol  n  = 
(Ini, . . . ,  Ini/,  Compute,  Out/,  0ut2)  with  the  properties  described  in  the  theorem  statement.  Given 
a  circuit  C  of  size  m,  O  computes  (-,ci)  <—  Ini(C'),  samples  random  coins  p,a,r,  and  outputs  a 
circuit  G  that  on  input  x: 

•  Computes  (02,^2)  :=  In2(x  ;  p). 

•  Computes  (-,^2)  :=  Compute^*™-),  ci,  C2  ;  a) 

•  Computes  and  outputs  y  :=  Out2(z2,d2  ;t). 

We  now  show  that  this  obfuscator  satisfies  the  functionality,  polynomial  slowdown,  and  virtual 
black-box  properties  from  Definition  4.1. 

Functionality:  The  correctness  property  of  the  on-the-fly  MPC  protocol  guarantees  that  G(x)  = 
F(m\C,x)  =  C(x )  for  all  x. 

Polynomial  Slowdown:  Using  van  Dijk  and  Juel’s  construction  [vDJIO],  we  have  that  \F^m')\  = 
0(m2).  Since  all  algorithms  of  the  on-the-fly  MPC  protocol  run  in  polynomial  time,  we  have 
that  there  exists  a  polynomial  p  such  that  |Gj  =  p(\C\). 

Virtual  Black-Box:  To  prove  the  virtual  black-box  property,  we  observe  that  given  an  attacker 
A  trying  to  break  the  obfuscation,  we  can  construct  a  real-world  semi-honest  adversary  B 
attacking  the  on-the-fly  MPC  protocol,  corrupting  the  server  and  party  P-2-  The  honest  party 
receives  input  C  and  B  receives  a  dummy  value  x  for  P2,  which  it  ignores.  Instead  it  receives 
ci  from  the  honest  party,  builds  G  as  specified  and  runs  A  on  G.  When  A  outputs  a  bit  b,  B 

15  Considering  a  restricted  class  of  adversaries  for  the  on-the-fly  MPC  protocol  only  makes  our  impossibility  result 
stronger. 
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completes  Steps  2  and  3  in  the  protocol  as  specified,  and  outputs  b.  We  emphasize  that  any 
action  taken  by  A  is  valid  for  a  semi- honest  adversary,  so  B  is  semi-honest. 

Security  of  II  says  that  there  exists  simulator  S  such  that  for  all  inputs  C,  x,  we  have 

Q 

IDEALjf^C,  x)  ~  REALn,g(C',  x),  where  in  the  ideal  world,  S  is  given  access  to  an  ora¬ 
cle  as  described  above.  In  the  setting  we  are  considering,  the  only  valid  subset  that  S  can 
provide  in  a  query  to  this  oracle  is  {1}.  Thus,  S  has  oracle  access  to  F^m\C,  •)  =  C(-).  We 
can  build  a  simulator  S'  with  oracle  access  to  C(-)  that  on  input  |C|16,  chooses  an  arbitrary 
x  and  runs  S(x)  (which  runs  B,  which  runs  A),  anwers  S’ s  queries  with  its  own  oracle,  and 
outputs  S’s  output. 

Since  B  outputs  whatever  A  outputs  and  S'  outputs  whatever  S  outputs,  the  fact  that 
IDEALjf^C,  x)  ~  REALn,g(C',  x)  implies  that  «S/(|C'|)  ~  A(G).  The  theorem  statement  fol¬ 
lows. 

□ 
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Lattice-Based  FHE  as  Secure  as  PKE 

Zvika  Brakerski*  Vinod  Vaikuntanathair 


Abstract 

We  show  that  (leveled)  fully  homomorphic  encryption  (FHE)  can  be  based  on  the  hardness 
of  0(n15+e)-approximation  for  lattice  problems  (such  as  GapSVP)  under  quantum  reductions 
for  any  e  >  0  (or  0(n2+e ^approximation  under  classical  reductions).  This  matches  the  best 
known  hardness  for  “regular”  (non-homomorphic)  lattice  based  public-key  encryption  up  to  the 
e  factor.  A  number  of  previous  methods  had  hit  a  roadblock  at  quasipolynomial  approximation. 
(As  usual,  a  circular  security  assumption  can  be  used  to  achieve  a  non-leveled  FHE  scheme.) 

Our  approach  consists  of  three  main  ideas:  Noise-bounded  sequential  evaluation  of  high 
fan-in  operations;  Circuit  sequentialization  using  Barrington’s  Theorem;  and  finally,  successive 
dimension-modulus  reduction. 


1  Introduction 

Fully  homomorphic  encryption  (FHE)  allows  us  to  convert  an  encryption  of  a  message  Enc(m)  into 
an  encryption  of  a  related  message  Enc(/(m))  for  any  efficient  /,  using  only  public  information 
and  without  revealing  anything  about  m  itself.  FHE  has  numerous  theoretical  and  practical  ap¬ 
plications,  the  canonical  one  being  to  the  problem  of  outsourcing  computation  to  a  remote  server 
without  compromising  one’s  privacy. 

Until  2008,  FHE  was  considered  practically  science  fiction  as  no  constructions  or  even  viable 
approaches  were  known.  A  breakthrough  by  Gentry  [Gen09b,  GenlO,  Gen09a]  presented  the  first 
plausible  candidate  construction.  The  security  of  Gentry’s  scheme  relied  on  much  stronger  as¬ 
sumptions  than  standard  (non  homomorphic)  public- key  encryption  (PKE),  namely  the  hardness 
of  problems  on  specially  chosen  ideal  lattices  as  well  as  a  new  assumption  called  the  sparse  sub¬ 
set  sum  assumption.  This  state  of  affairs  coincided  with  many  researchers’  intuition  that  FHE, 
being  much  more  versatile,  should  naturally  be  harder  to  achieve  and  should  require  stronger  as¬ 
sumptions  than  regular  public- key  encryption.  Brakerski  and  Vaikuntanathan  [BV11]  subsequently 
constructed  an  FHE  scheme1  based  on  the  worst-case  hardness  of  approximating  lattice  problems 
such  as  GapSVP  (a  promise  version  of  the  shortest  vector  problem  on  lattices)  which  have  been 
studied  extensively  and  are  by  now  considered  standard  cryptographic  assumptions.  However,  they 
required  that  the  problem  is  hard  to  approximate  to  within  a  subexponential  factor  (in  the  dimen¬ 
sion  of  the  underlying  lattice).  This  is  in  contrast  to  standard  lattice-based  public-key  encryption 
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1Here,  and  in  the  rest  of  the  introduction,  when  we  say  FHE,  we  mean  a  leveled  FHE  scheme  that  can  evaluate 
circuits  of  any  a-priori  bounded  polynomial  depth.  The  only  known  way  to  achieve  non-leveled  FHE  schemes  is  to 
make  a  circular  security  assumption,  in  addition. 
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which  can  be  based  on  the  hardness  of  approximating  the  problem  to  within  polynomial  factors 
(explicitly  0(n L5)  using  quantum  reductions  [Reg05]  or  0{n 2)  using  classical  reductions  [Pei09]). 
Closing  this  gap  has  been  a  central  goal  in  the  study  of  FHE  from  both  a  theoretical  and  a  practical 
perspective  (since  relying  on  a  weaker  assumption  allows  us  to  use  shorter  parameters  resulting  in 
better  efficiency).  Starting  with  [BGV12],  several  works  using  different  approaches  [Bral2,  GSW13] 
have  reduced  the  required  factor  of  approximation  to  n°^ogn\  which  seemed  to  be  a  barrier  for 
known  methods. 

In  this  work,  we  match  the  best  known  approximation  factors  up  to  any  e  >  0  and  show  that 
“science  fiction”  FHE  can  be  as  secure  as  any  other  lattice-based  public-key  encryption  scheme. 
Furthermore,  the  keys  and  ciphertexts  in  our  scheme  (with  the  exception  of  the  evaluation  key 
which  is  only  used  for  homomorphic  evaluation)  are  identical  to  Regev’s  original  lattice-based 
PKE  [Reg05],  with  parameters  that  are  optimal  up  to  a  factor  of  1  +  e. 

Our  results  are  summarized  in  the  following  theorem. 

Theorem  1.1.  For  every  e  >  0,  there  exists  a  leveled  fully  homomorphic  encryption  scheme  based 
on  the  DLWEni9jQ,  assumption  (n- dimensional  decisional  LWE  modulo  q,  with  discrete  Gaussian 
noise  with  parameter  a),  where  a  =  l/0(ne  ■  \J rilogfq )). 

Thus,  the  scheme  is  secure  based  on  either  the  quantum  worst-case  hardness  o/GapSVP^,  x ,5+ey 
or  the  classical  worst-case  hardness  of  GapSVP^^+e)- 

High  Level  Overview.  Our  starting  point  is  a  new  LWE-based  FHE  scheme  by  Gentry,  Sahai 
and  Waters  [GSW13].  They  present  an  encryption  scheme  where  the  public  key  is  identical  to 
Regev’s  scheme,  but  the  ciphertexts  are  square  matrices  rather  than  vectors.  It  was  then  possible 
to  add  and  multiply  ciphertexts  using  (roughly)  matrix  addition  and  multiplication.  As  in  previous 
LWE-based  FHE  schemes,  the  ciphertext  contains  a  “noise”  element  that  grows  with  homomorphic 
operations  and  must  be  kept  under  a  certain  threshold  in  order  for  the  ciphertext  to  be  decryptable. 
The  scheme  is  instantiated  by  a  dimension  n  and  modulus  q ,  which  correspond  to  the  parameters 
of  the  LWE  problem.  The  initial  noise  level  is  poly(n)  and  the  scheme  is  decryptable  so  long  as 
the  noise  remains  under  (say)  q/8.  In  order  to  base  the  scheme  on  the  hardness  of  polynomial 
approximation  to  lattice  problems,  we  would  like  to  characterize  the  class  of  functions  that  can  be 
homomorphically  evaluated  using  q  =  poly(n).  The  analysis  of  Gentry,  Sahai  and  Waters  [GSW13] 
shows  that  the  evaluation  of  each  Boolean  gate  increases  the  noise  by  a  poly(n)  factor,  and  thus 
the  class  of  functions  that  can  be  evaluated  setting  q  =  poly(n)  is  NC°. 

Our  first  observation  is  that  the  asymmetric  (namely,  non-commutative)  nature  of  matrix  mul¬ 
tiplication  gives  rise  to  an  interesting  phenomenon  in  the  GSW  scheme:  when  multiplying  two 
ciphertexts  with  noise  levels  e\  and  e2,  the  noise  in  the  output  turns  out  to  be  e\  +  poly(n)  •  e2- 
That  is,  the  noise  grows  in  an  asymmetric  manner.  This  means  that  if  we  want  to  multiply  t 
ciphertexts,  for  example,  which  all  start  with  the  same  noise  level,  we  can  consecutively  multiply 
them  one  after  the  other,  and  the  final  noise  will  only  grow  by  a  i  ■  poly(n)  factor.  This  is  in 
contrast  to  the  conventional  wisdom  that  favors  the  use  of  a  multiplication  tree,  which  in  this  case 
would  have  resulted  in  a  poly(n)log£  noise  blowup.  This  observation  already  allows  us  to  evaluate 
AC 0  circuits  in  a  setting  where  the  modulus  q  =  poly(n).  (Using  an  additional  trick,  this  can  be 
extended  to  AC°[©],  namely  AC°  circuits  augmented  with  XOR  gates). 

Our  second  idea  is  to  push  this  technique  forward  by  “sequentializing”  larger  circuit  classes.  A 
particularly  potent  tool  in  this  direction  of  thought  is  Barrington’s  Theorem  [Bar89]  which  allows 
us  to  transform  any  NC1  circuit  into  a  polynomial  length,  width-5  permutation  branching  program. 
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Homomorphic  evaluation  of  a  length-^  branching  program  essentially  requires  homomorphically 
multiplying  l  5-by-5  encrypted  permutation  matrices,  in  contrast  to  the  simple  product  operation 
on  bits  that  we  just  accomplished.  We  show  that  this  is  in  fact  possible,  namely  a  method  of 
homomorphically  multiplying  i  permutation  matrices  that  only  increases  the  noise  by  an  f'-poly(n) 
factor.  This  gives  us  a  way  to  evaluate  any  NC1  circuit  in  a  setting  where  the  modulus  q  = 
poly(n).  In  a  high  level,  our  technique  here  is  reminiscent  of  Ishai  and  Paskin’s  method  of  evaluating 
branching  programs  on  encrypted  data  [IP07]. 

Evaluating  NC1  circuits  with  low  noise  blowup  is  a  highly  sought-after  goal  in  the  study  of  FHE 
schemes.  The  reason  is  Gentry’s  bootstrapping  theorem  [Gen09b],  which  shows  how  to  convert  a 
scheme  with  some  homomorphic  properties  into  a  fully  homomorphic  one,  assuming  that  it  can 
evaluate  its  own  decryption  circuit.  Since  the  decryption  circuit  of  the  scheme  in  question  lies 
in  NC1,  we  can  apply  the  bootstrapping  theorem  and  obtain  and  FHE  scheme  with  q  =  poly(n), 
thus  basing  its  security  on  the  worst-case  hardness  of  approximating  lattice  problems  to  within  a 
(somewhat  large)  polynomial  factor. 

To  obtain  the  optimal  approximation  factor  (up  to  an  arbitrarily  small  e),  we  employ  our  third 
idea,  namely  a  variant  of  the  dimension-modulus  reduction  technique,  originating  in  [BV11].  Our 
noise  analysis  of  the  NC1  scheme  shows  that  in  order  to  obtain  parameters  that  are  optimal  up 
to  e,  the  decryption  circuit  of  our  scheme  must  have  depth  at  most  e  •  log(n)/2,  which  seems 
unachievable.  After  all,  an  NC1  circuit  with  n  inputs  and  depth  less  than  logn  cannot  even  look 
at  all  the  inputs!  To  solve  this  conundrum,  we  apply  the  dimension-modulus  reduction  technique, 
which  allows  us  to  “shrink”  the  ciphertext  into  a  “smaller  copy”  of  the  same  scheme.  We  show  that 
by  applying  this  method  consecutively  several  times  (as  opposed  to  a  single  time  as  was  done  in 
[BV11]),  we  can  reduce  the  ciphertext  to  a  small  enough  size  that  decrypting  it  becomes  possible 
in  depth  elog(n)/2.  This  allows  us  to  obtain  an  FHE  scheme  based  on  the  worst-case  hardness  of 
approximating  GapSVP  within  a  factor  of  0(n2+e )  by  classical  algorithms,  or  a  factor  of  0(n1'5+e) 
by  quantum  algorithms. 

Organization  of  the  Paper.  We  start  with  some  background  and  preliminaries:  the  reader 
should  consult  section  2.1  for  background  on  Gaussian  distributions,  section  2.2  for  the  learning 
with  error  problem,  and  section  2.5  for  homomorphic  encryption.  Our  main  result  is  described  in 
Section  3  where  we  construct  a  (leveled)  FHE  scheme  secure  under  the  polynomial  LWE  assumption. 
We  conclude  in  Section  4  by  showing  how  to  show  how  to  reduce  and  optimize  the  assumption  to 
match  the  best  known  LWE  assumption  for  lattice-based  PKE. 

2  Preliminaries 

Matrices  are  denoted  by  bold-face  capital  letters,  and  vectors  are  denoted  by  bold-face  small  letters. 
All  logarithms  are  taken  to  base  2,  unless  otherwise  specified.  For  an  integer  q,  we  define  the  set 
Zq  =  (—q/ 2,  q/2]  H  Z.  For  any  x  G  Q,  we  let  y  =  [x\q  denote  the  unique  value  y  G  (— q/2 ,  qj 2]  such 
that  y  =  x  (mod  q)  (i.e.  y  is  congruent  to  x  modulo  q). 

We  let  n  denote  a  security  parameter.  When  we  speak  of  a  negligible  function  negl(fv),  we 
mean  a  function  that  grows  slower  than  1  / kc  for  any  constant  c  >  0  and  sufficiently  large  values  of 
k.  When  we  say  that  an  event  happens  with  overwhelming  probability,  we  mean  that  it  happens 
with  probability  at  least  1  —  negl(/-e)  for  some  negligible  function  negl(rc).  We  denote  y  =  Ok{x)  if 
y  =  0(x-polylog(«)),  and  y  =  0(x )  if  y  =  Ox{x).  The  notation  @K(-),  QK(-)  is  defined  analogously. 
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The  security  parameter  underlies  all  of  our  constructions.  The  parameters  n,  k  etc.  should  all 
be  considered  to  be  a  function  of  the  security  parameter  k,  which  is  chosen  according  to  the  level  of 
confidence  desired  by  the  user  of  the  scheme.  (The  dimension  of  the  LWE  problem,  defined  below, 
should  be  considered  to  be  polynomially  related  to  the  security  parameter.) 

2.1  Gaussians  and  Discrete  Gaussians 

In  this  work  we  will  only  consider  one-dimensional  Gaussians,  and  one-dimensional  discrete  Gaus¬ 
sians  over  the  integers. 

For  r  >  0,  the  (one-dimensional)  Gaussian  function  pr  :  M  — >  (0, 1]  is  defined  as 

pr(x )  =  exp(— ir\x\2/r2). 

The  (spherical)  continuous  Gaussian  distribution  Dr  is  the  distribution  with  density  function  pro¬ 
portional  to  pr.  The  (one-dimensional,  integer-coset)  discrete  Gaussian  Dz~c,r  is  the  discrete 
distribution  supported  on  Z  —  c  for  c  E  M,  whose  probability  mass  function  is  proportional  to  pr. 

Gaussian  Rounding.  To  achieve  the  tightest  results,  we  will  need  to  use  a  simple  Gaussian 
rounding  procedure.  The  following  is  an  immediate  corollary  of  [BLP+13,  Lemma  2.3]. 

Corollary  2.1.  There  exists  a  randomized  procedure  |_-1g  such  that  given  x  E  M,  it  holds  that 
y<r-  [x]G  is  such  that  y  —  x  ~  Di- x,\- 

In  fact,  a  slightly  smaller  standard  deviation  is  achievable,  but  we  use  1  for  the  sake  of  simplicity. 

Sum  of  Discrete  Gaussians.  We  wish  to  bound  the  absolute  value  of  a  sum  of  discrete 
Gaussians.  The  following  are  immediate  corollaries  from  [Reg09,  Corollary  3.10]  and  [GPV08, 
Lemma  3.1]. 

Proposition  2.2.  Let  k  E  N  be  a  security  parameter.  Then  with  all  but  negl(/«)  probability,  if 
x  ~  Dr,  then  \x\  <  r  ■  w(\/log  k).  Similarly,  if  x  ~  Dzn-c,r-  then  with  all  but  negligible  probability, 
|x|  <  max{r,  u(y/ log «)}  •  uj(y/ log  k). 

Proposition  2.3.  Let  ceff  be  a  security  parameter.  Let  n  E  N,  let  z  E  {0,  l}n  and  c  E  Mn  be 
arbitrary,  and  let  e  ~  D%n_C  T.  Then  with  all  but  negligible  probability 

|(z,e)|  <  y/E  •  max{r,  w(\/log  ac)}  •  u>  {^yiogn)  =  0K(Vn)  •  r  . 

Proposition  2.4.  Let  k  E  N  be  a  security  parameter.  Let  n  E  N,  let  c  E  Mn  be  arbitrary,  let 
e  ~  Dx-C,rj  and  let  z  e  {0,  l}n  be  possibly  dependent  on  e.  Then  with  all  but  negligible  probability 

|(z,e)|  <  n  ■  max{ r , u ( \J log k)}  ■  ^(^log k)  =  0K(n)  ■  r  . 

2.2  Learning  With  Errors  (LWE) 

The  LWE  problem  was  introduced  by  Regev  [Reg05]  as  a  generalization  of  “learning  parity  with 
noise”.  For  positive  integers  n  and  q  >  2,  a  vector  s  GZJ,  and  a  probability  distribution  y  on  Z, 

let  RS;X  be  the  distribution  obtained  by  choosing  a  vector  a  Z”  uniformly  at  random  and  a 

noise  term  e  <—  y,  and  outputting  (a,  [(a,  s)  +  e]  )  eZJx  Zg.  Decisional  LWE  (DLWE)  is  defined 
as  follows. 
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Definition  2.5  (DLWE).  For  an  integer  q  =  q(n)  and  an  error  distribution  x  =  x(n)  over  Z,  the 
(average-case)  decision  learning  with  errors  problem,  denoted  DLWEnjrn)(JiX,  is  to  distinguish  (with 
non-negligible  advantage)  m  samples  chosen  according  to  AlS)X  (for  uniformly  random  s  ■(—  Zq),  from 
m  samples  chosen  according  to  the  uniform  distribution  overZ q  x  Zq.  We  denote  by  DLWE„](?!X  the 
variant  where  the  adversary  gets  oracle  access  to  Asa,  and  is  not  a-priori  bounded  in  the  number 
of  samples. 

There  are  known  quantum  (Regev  [Reg05])  and  classical  (Peikert  [Pei09] )  reductions  between 
DLWEnjmi(?!X  and  approximating  short  vector  problems  in  lattices.  Specifically,  these  reductions  take 
X  to  be  a  discrete  Gaussian  distribution  Di^aq  for  some  a  <  1.  We  sometimes  write  DLWEr7m)(?)Q 
(resp.  DLWEn  (?  Q.)  to  indicate  this  instantiation  (it  will  be  clear  from  the  context  when  we  use  a 
distribution  x  and  when  a  Gaussian  parameter  a).  We  now  state  a  corollary  of  the  results  of  [Reg05, 
Pei09]  (in  conjunction  with  the  search  to  decision  reduction  of  Micciancio  and  Mol  [MM11]  and 
Micciancio  and  Peikert  [MP11]).  These  results  also  extend  to  additional  forms  of  q  (see  [MM11, 
MP11]). 

Corollary  2.6  ([Reg05,  Pei09,  MM11,  MP11]).  Let  q  =  q(n )  E  N  be  either  a  prime  power  q  =  pr , 
or  a  product  of  co-prime  numbers  q  =  \\qi  such  that  for  all  i,  qi  =  poly(n),  and  let  a  >  y/n/q.  If 
there  is  an  efficient  algorithm  that  solves  the  (average-case)  DLWEn]9ia  problem,  then: 

•  There  is  an  efficient  quantum  algorithm  that  solves  GapSVPgo  ^  (and  SIVP Qtn/a))  on  any 
n-dimensional  lattice. 

•  If  in  addition  q  >  0(2n /2),  then  there  is  an  efficient  classical  algorithm  for  GapSVP^^^  on 
any  n-dimensional  lattice. 

Recall  that  GapSVP7  is  the  (promise)  problem  of  distinguishing,  given  a  basis  for  a  lattice  and 
a  parameter  d,  between  the  case  where  the  lattice  has  a  vector  shorter  than  d,  and  the  case  where 
the  lattice  doesn’t  have  any  vector  shorter  than  7  •  d.  SIVP  is  the  search  problem  of  finding  a  set 
of  “short”  vectors.  We  refer  the  reader  to  [Reg05,  Pei09]  for  more  information. 

The  best  known  algorithms  for  GapSVP7  ([Sch87])  require  at  least  2^(n/i°g7)  time. 

In  this  work,  we  will  only  consider  the  case  where  q  <  2n.  Furthermore,  the  underlying  security 
parameter  k  is  assumed  to  be  polynomially  related  to  the  dimension  n. 


2.3  Vector  Decomposition  and  Key  Switching 

We  show  how  to  decompose  vectors  in  a  way  that  makes  their  norm  smaller,  and  yet  preserves 
certain  inner  products.  Our  notation  is  generally  adopted  from  [BGV12]. 


Vector  Decomposition.  We  often  break  vectors  into  their  bit  representations  as  defined  below: 

•  BitDecomp(J(x):  For  x  E  Zn,  let  Wij  E  {0,1}  be  such  that  x[i]  =  ■  Wi,j  (mod  q). 

Output  the  vector 

(tV  l ,  [log  q\  —  1 5  '  '  '  >^1,0,  •  •  •  5  'tV'n,  [log  q  \  —  1 1  *  •  •  ?  ^n,o)  ^{0,1}  ^  ^  ^  • 


PowersOfTwo(?(y):  For  y  E  Zn,  output 

(2nog,l-iy[1]j  _  _  _ ;  2y [1] ,  y [1] , . . . ,  2riog?l-1  •  y[n], . . . ,  2y[n],  y[n]) 


J  9 


(z 

^  q 
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We  will  usually  omit  the  subscript  q  when  it  is  clear  from  the  context. 

Claim  2.7.  For  all  q  G  N  and  x,y£  Zn,  it  holds  that 

(x,  y)  =  (BitDecomp9(x),  PowersOfTwog(y))  (mod  q)  . 

Additionally,  we  define  the  procedure  Flatten  following  [GSW13],  along  with  the  procedure 
Combine.  Let  g  =  (2 riog(«?)l -1  ?  2riog(g)l-2  . . . ,  4,  2, 1)  G  Z^l  and  let  G  :=  g  ®  In  G  Znx(n'riog'2,b 
denote  the  tensor  product  of  g  with  the  n-by-n  identity  matrix  In. 

•  Combineg(z):  For  z  G  Zn'^l°sq\  output  [G  •  z]q  G  Z”. 

•  Flatteng(z):  For  z  G  Zn'riog,?l,  output  BitDecomp(J(Combine(z))  G  {0,  l}71- Tlog <?1 
Claim  2.8.  For  all  q  G  N,  and  x,  z  G  Zn'^log^,  it  holds  that 

(PowersOfTwo(x),  z)  =  (PowersOfTwo(x),  Flatten(z))  (mod  q )  . 

2.4  Partial  Randomization  Using  LWE 

We  describe  a  procedure  that  allows  us  to  partially  randomize  vectors  while  preserving  their  inner 
product  with  an  LWE  secret  s.  This  procedure  will  be  useful  to  us  when  trying  to  manipulate 
ciphertexts  that  are  a  result  of  a  homomorphic  operation  (and  thus  may  have  arbitrary  dependence 
on  the  public  parameters). 

Let  n,  q,  a  be  parameters  for  the  DLWE  problem,  let  x  =  Di)Ctq.  Let  s  G  Z”  be  some  (arbitrary) 
vector. 

•  RandParam(s):  Let  m  =  (n  +  1)  •  (log q  +  0(1)).  Sample  A  -G-  Z™xn  and  e  -G-  ym.  Compute 
b:=  [A  •  s  +  e]q,  and  define 

Prand:=[b||-A]GZ™X^+1)  . 

Output  Prand- 

We  note  that  this  is  identical  to  the  public  key  generation  process  in  Regev’s  encryption  scheme. 

•  Rand(Prancj,  c):  For  c  G  Z”+1,  sample  r  -g-  {0,  l}m,  and  compute 

^rand-  [c  +  f  Prand]  q  ■ 

Output  Crand . 

The  properties  of  this  process  are  summarized  below. 

First,  we  state  the  security  of  our  procedure,  namely  that  Prand  does  not  reveal  information 
about  s.  The  proof  is  straightforward  and  omitted. 

Lemma  2.9.  If  s  is  uniformly  sampled  and  PrandG RandParam(s),  then  under  the  DLWEniq)Q  as¬ 
sumption,  Prand  is  computationally  indistinguishable  from  uniform. 

Next,  we  state  that  the  inner  product  of  the  randomized  vector  with  (l,s)  does  not  change  by 
much. 
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Lemma  2.10.  Let  s  G  Z™  be  arbitrary,  and  let  Pranc)^— RandParam(s).  Let  c  G  Z™+1  be  arbitrary, 
and  crande-  Rand(Prand,  c),  then  there  exists  6  such  that 

(c,  (l,s))  -  (crand ,  (1,  s))  =  5  (mod  q)  , 

and  |<5|  <  0K(y/n log(g))  •  aq  with  all  but  negl(«:)  probability. 

Proof.  We  start  by  noting  that 

(rTPrand,  (l,s))  =  (r,  e)  (mod  q )  , 

where  e  is  the  noise  used  to  generate  Prand.  Using  Proposition  2.3,  the  result  follows.  □ 

Finally,  we  state  the  randomization  property  of  our  procedure. 

Lemma  2.11.  Let  q  <  2n.  Let  s  G  Z ^  be  arbitrary,  and  let  Prand-^— RandParam(s).  Let  f  G- 

Z4"+1)  for  some  t,  and  let  c  G  Z™+1  be  arbitrary  (possibly  dependent  on  f).  Finally,  let 

crand Rand(Prand,c),  then 

| (BitDecomp9(crand),  f) |  <  dK(y/n log (q))  ■  t  , 
with  all  but  negl(«;)  probability. 

Proof.  By  the  leftover  hash  lemma,  the  last  n  coordinates  of  crand  are  distributed  uniformly,  and 
independently  of  f ,  c.  By  Proposition  2.3,  this  part  of  crand  contributes  0K(^/n  log(g))  •  t  to  the 
inner  product  (with  all  but  negligible  probability). 

The  first  coordinate  of  crand  may  have  dependence  on  f,  but  it  only  decomposes  to  0(\ogq)  bits, 
and  therefore  by  Proposition  2.4,  its  contribution  to  the  inner  product  is  at  most  0K(log(g))  ■  t.  with 
all  but  negligible  probability.  Recalling  that  q  <  2n,  this  is  at  most  0K(^/n  log (q))  ■  t. 

The  union  bound  completes  the  proof.  □ 

2.5  Homomorphic  Encryption  and  Bootstrapping 

We  now  define  homomorphic  encryption  and  introduce  Gentry’s  bootstrapping  theorem.  Our  defi¬ 
nitions  are  mostly  taken  from  [BV11,  BGV12]. 

A  homomorphic  (public-key)  encryption  scheme  HE  =  (HE. Keygen,  HE.Enc,  HE. Dec,  HE.Eval)  is 
a  quadruple  of  ppt  algorithms  as  follows  (k  is  the  security  parameter): 

•  Key  generation  (pk,  evk,  sk)<—  HE.Keygen(lK):  Outputs  a  public  encryption  key  pk,  a  public 
evaluation  key  evk  and  a  secret  decryption  key  sk? 

•  Encryption  c<—  HE.Encp/c(^):  Using  the  public  key  pk,  encrypts  a  single  bit  message  p  G 
{0, 1}  into  a  ciphertext  c. 

•  Decryption  HE.Decsfc(c):  Using  the  secret  key  sk,  decrypts  a  ciphertext  c  to  recover  the 
message  p  G  {0, 1}. 

•  Homomorphic  evaluation  cp£- HE.Evale„fc(/,  c\, . . . ,  cf):  Using  the  evaluation  key  evk ,  ap¬ 
plies  a  function  /  :  {0, 1  — >  {0, 1}  to  ci, . . . ,  C£,  and  outputs  a  ciphertext  c/. 

2We  adopt  the  terminology  of  [BV11]  that  treats  the  evaluation  key  as  a  separate  entity  from  the  public  key. 
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A  homomorphic  encryption  scheme  is  said  to  be  secure  if  it  is  semantically  secure  (note  that 
the  adversary  is  given  both  pk  and  evk). 

Homomorphism  w.r.t  depth-bounded  circuits  and  full  homomorphism  are  defined  next: 

Definition  2.12  (compactness  and  full  homomorphism).  A  homomorphic  encryption  scheme  is 
compact  if  its  decryption  circuit  is  independent  of  the  evaluated  function.  A  compact  scheme  is 
(pure)  fully  homomorphic  if  it  can  evaluate  any  efficiently  computable  function.  The  scheme  is 
leveled  fully  homomorphic  if  it  takes  1L  as  additional  input  in  key  generation,  and  can  only  evaluate 
depth  L  Boolean  circuits. 

Gentry’s  bootstrapping  theorem  shows  how  to  go  from  limited  amount  of  homomorphism  to 
full  homomorphism.  This  method  has  to  do  with  the  augmented  decryption  circuit. 

Definition  2.13.  Consider  a  homomorphic  encryption  scheme  HE.  Let  (sk,pk,  evk)  be  properly 
generated  keys  and  let  C  be  the  set  of  properly  decryptable  ciphertexts.  Then  the  set  of  augmented 
decryption  functions,  {/Cl,c2}ci,c2eC  is  defined  by  /Cl,C2(x)  =  HE.Decx(ci)  A  HE.Decx(c2).  Namely, 
the  function  that  uses  its  input  as  secret  key,  decrypts  ci,c2  and  returns  the  NAND  of  the  results. 

The  bootstrapping  theorem  is  thus  as  follows. 

Theorem  2.14  (bootstrapping  [Gen09b,  Gen09a]).  A  scheme  that  can  homomorphically  evaluate 
its  family  of  augmented  decryption  circuits  can  be  transformed  into  a  leveled  fully  homomorphic 
encryption  scheme  with  the  same  decryption  circuit,  ciphertext  space  and  public  key. 

Furthermore,  if  the  aforementioned  scheme  is  also  weak  circular  secure  (remains  secure  even 
against  an  adversary  who  gets  encryptions  of  the  bits  of  the  secret  key),  then  it  can  be  made  into  a 
pure  fully  homomorphic  encryption  scheme. 

3  Our  FHE  Scheme 

In  this  section,  we  describe  an  FHE  scheme  secure  under  a  polynomial  LWE  assumption  which, 
using  known  reductions  [Reg05,  Pei09],  translates  to  the  worst-case  hardness  of  solving  various 
lattice  problems  to  within  polynomial  approximation  factors.  We  start  with  the  basic  encryption 
scheme  in  Section  3.1,  and  describe  “proto- homomorphic”  addition  and  multiplication  subroutines 
in  Section  3.2.  Departing  from  the  “conventional  wisdom”  in  FHE,  our  circuit  evaluation  procedure 
in  Section  3.3  will  not  be  a  naive  combination  of  these  proto-homomorphic  operations,  but  rather 
a  carefully  designed  procedure  that  manages  the  noise  growth  effectively. 

Finally,  in  Section  3.4,  we  put  this  all  together  to  get  our  FHE  scheme  under  the  decisional 
LWE  assumption  DLWEn)?]Q  with  a  =  n~c  for  some  constant  c  >  0.  This  polynomial  factor  is 
rather  large:  thus,  in  Section  4,  we  apply  a  carefully  designed  variant  of  the  dimension-modulus 
reduction  procedure  of  [BV11]  to  obtain  our  final  FHE  scheme  that  is  secure  under  the  hardness  of 
DLWEn^a  with  a  <  l/0K(ne-y/ n  log (q))  which  is  weakest  LWE  hardness  assumption  that  underlies 
the  (non-homomorphic)  lattice-based  PKE  schemes  [AD97,  Reg04,  Reg05,  Pei09,  BLP+13]. 

3.1  The  Basic  Encryption  Scheme 

Our  basic  encryption  scheme  closely  follows  the  Gentry-Sahai- Waters  FHE  scheme  [GSW13].  We 
refer  the  reader  to  Section  2.3  for  the  description  of  the  vector  decomposition  routines  PowersOfTwo, 
BitDecomp  and  Flatten  used  in  the  scheme  below. 
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System  Parameters.  Let  n  be  the  LWE  dimension  and  q  be  an  LWE  modulus.  Define  N  := 
(n  +  1)  •  [logg].  Let  d  denote  the  maximal  homomorphism  depth  that  is  allowed  by  the  scheme. 
Let  x  be  an  error  distribution  over  Z.  Typically  x  will  be  a  discrete  Gaussian  D^aq  for  a  = 
l/0K(-\Jn  log(g)  •  4rf).  Recall  that  we  identify  hq  with  the  set  (— q/2,  q/2]  n  Z. 

•  NCCrypt.Keygen(ln,  q,  4d):  Sample  a  vector  s  <£-  Z”.  Let  m  =  (n  +  1)  •  (log  q  +  0(1)).  Sample 
A  £-  Z”ixn  and  e  £-  xm-  Compute  b:=  [A  •  s  +  e]9,  and  define 

P:=  [b||  -  A]  GZ”lx(n+1)  . 

Output  sk  =  s  and  pk  =  evk  =  P. 

We  describe  public-key  as  well  as  secret-key  encryption  algorithms.  Looking  ahead,  we  remark 
that  a  secret-key  encryption  of  p  is  somewhat  less  “noisy”  than  a  public-key  encryption  of  p. 

•  NCCrypt.PubEnc(pfc,  p):  To  encrypt  a  bit  p  £  {0,1},  using  the  public  key  pk  =  P,  we  let 
R  A  {0,  l}7Vxm)  and  output  the  ciphertext 

C  =  Flatten  (BitDecomp(R  •  P)  +  p  ■  I)  €  {0,  l}ArxAr  . 

•  NCCrypt.SecEnc(.sfc,  p):  A  symmetric  encryption  of  a  bit  p  £  {0,1},  using  the  secret  key 
sk  =  s,  is  performed  by  sampling  A  £-  Z^xn  and  e  £-  \N ■>  computing  b:=  [A  •  s  +  e]  ,  and 
defining 

C  =  Flatten  (BitDecomp  ([b||  —  A])  +  p  ■  I)  G  {0,  l}ArxiV  . 

•  NCCrypt.Dec(s/c,  C):  Let  c  be  the  second  row  of  C.  We  use  standard  Regev  decryption  on  c. 

Namely,  we  output  p*  =  0  if  [(c,  PowersOfTwo(l,  s))]  <  q/ 8,  and  p*  =  1  otherwise. 

Correctness.  In  order  to  show  correctness  of  this  scheme,  we  analyze  the  noise  magnitude  of 
ciphertexts  produced  by  both  the  public- key  and  secret-key  encryption  algorithms.  As  we  will 
show  shortly,  for  ciphertexts  C  produced  by  either  encryption  algorithm,  we  have 

C  •  PowersOfTwo(l,  s)  =  p  ■  PowersOfTwo(l,  s)  +  e  (mod  q) 

for  a  noise  vector  e  of  “small  magnitude” .  This  motivates  our  definition  of  the  noise  in  the  ciphertext 
C  with  respect  to  a  secret  key  vector  s  and  a  message  p  as  follows. 

Definition  3.1.  For  every  C  €  {0,  l}NxN t  s  £  Z™  and  p  £  Z,  we  define 

noiseSjAt(C)  =  ||(C  —  pi)  ■  PowersOfTwo(l,  s)  (mod  q)^ 

The  significance  of  this  definition  is  captured  by  the  following  claims.  The  first  claim  shows 
that  any  ciphertext  with  small  noise  is  decrypted  correctly. 

Lemma  3.2.  For  every  C  £  {0,  l}ArxiV;  s  £  Zq  and  p  £  Z  such  that  noiseSiAt(C)  <  q/8, 

NCCrypt.Dec(s,  C)  =  p 
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Proof.  Since  noiseS;/i(C)  <  q/8,  we  have 

C  •  PowersOfTwo(l,  s)  =  rj  +  fi  ■  PowersOfTwo(l,  s)  (mod  q ) 
where  ||'*7||00  <  q/8.  Thus,  for  the  second  row  of  C  it  holds  that 

(c,  PowersOfTwo(l,  s))  =  rj  +  2^log(-'?^_2  •  p  (mod  q) 
where  \q\  <  q/8.  Thus,  when  p  =  0, 

[(c,  PowersOfTwo(l,  s))]g  =  \p\  <  q/8 

When  p  =  1, 

[(c,  PowersOfTwo(l,  s))]^  >  q/ 4  —  \rj\  >  q/8 

since  q/ 4  <  <  q/2.  This  shows  correctness  of  decryption  for  ciphertexts  with  small 

noise.  □ 

The  next  claim  demonstrates  parameter  settings  for  which  the  (public  key  and  secret  key) 
encryption  algorithms  produce  ciphertexts  with  small  noise. 

Lemma  3.3.  Let  n  be  the  LWE  dimension,  q  be  the  LWE  modulus  and  x  =  Dz,aq  be  the  discrete 
Gaussian  distribution.  Then,  for  every  s  E  Z”  and  /i  E  {0, 1}, 

•  for  Cpub  <—  NCCrypt.PubEnc(p/r,  p),  we  have  noiseSiM(Cpub)  =  0K{aq  ■  y/m). 

•  for  Csec  NCCrypt.SecEnc(s/c,  fi),  we  have  noiseS)M(Csec)  =  0K(aq). 

with  all  but  negligible  (in  k)  probability  over  the  coins  of  NCCrypt. Keygen. 

In  particular,  we  have  correctness  of  decryption  for  the  public  key  encryption  for  a  <  1/f lK(y/m), 
and  for  the  secret  key  encryption  for  a  <  l/PtK{l). 

Proof.  We  first  show  the  analysis  for  the  public-key  encryption. 

CpUb  •  PowersOfTwo(l,  s)  =  Flatten  ^BitDecomp(R  •  P)  +  /a  ■  1^  •  PowersOfTwo(l,  s) 

=  ^BitDecomp(R  •  P )  +  T  '  •  PowersOfTwo(l,  s) 

=  R  •  P  •  (1,  s)T  +  //  •  PowersOfTwo(l,  s) 

=  R  •  e  +  fi  ■  PowersOfTwo(l,  s) 

Thus,  by  Proposition  2.3, 

noise(Cpub)  =  || R  •  =  0K(y/m  ■  aq ) 

This  is  less  than  q/8  by  the  choice  of  a  <  l/QK(y/m). 

The  analysis  for  the  secret  key  encryption  follows  analogously,  except  that 

Csec  •  PowersOfTwo(l,  s)  =  e  +  n  ■  PowersOfTwo(l,  s) 

Thus, 

noise(Csec)  =  He^  =  0K(aq ) 

which  is  less  than  q/8  by  the  choice  ofa<l/flK(l).  □ 
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Security.  Semantic  security  of  the  scheme  follows  from  the  decisional  LWE  assumption  DLWEni<?ja, 
similarly  to  Regev’s  encryption  scheme  (see  [Reg05,  BV11,  GSW13]  for  similar  arguments). 

Complexity  of  Decryption.  Our  decryption  algorithm  is  essentially  the  same  as  the  decryption 
algorithm  in  Regev’s  encryption  scheme,  the  complexity  of  which  has  been  thoroughly  studied  in 
the  context  of  FHE.  The  following  is  an  immediate  corollary  from  [BV11,  Lemma  4.1]. 

Proposition  3.4.  There  exists  a  constant  Cdec  such  that  the  decryption  circuit  of  the  scheme 
NCCrypt,  with  parameters  n,  q,  has  depth  at  most  Cdec  ■  log(nlogg). 

3.2  Proto-Homomorphic  Operations 

We  now  describe  proto-homomorphic  addition  and  multiplication  algorithms  which  will  be  used 
in  Section  3.3  for  homomorphic  circuit  evaluation.  Departing  from  the  “conventional  wisdom”  in 
FHE,  our  circuit  evaluation  procedure  will  not  be  a  naive  combination  of  homomorphic  addition 
and  multiplication,  but  a  carefully  designed  procedure  that  manages  the  noise  growth  effectively. 
To  further  stress  the  fact  that  we  do  not  intend  for  these  procedures  to  be  used  independently,  we 
call  them  proto-homomorphic  operations. 


Proto-Homomorphic  Addition.  This  is  a  simple  addition  of  the  ciphertext  matrices. 

•  NCCrypt.ProtoAdd(Ci,  Ct):  Output  C+  :=  Flatten(Ci  +  C2). 

Jumping  ahead,  we  note  that  in  our  use  of  NCCrypt.ProtoAdd  in  Section  3.3,  both  C\  and  C2 
will  be  encryptions  of  bits,  and  at  most  one  of  them  will  be  an  encryption  of  1.  The  following  claim 
analyzes  the  noise  growth  in  homomorphic  addition. 

Claim  3.4.1  (Noise  Growth  in  NCCrypt.ProtoAdd.).  For  every  s  e  Z”,  pi,  p.2  £  Z  and  Ci,C2  £ 
{0,  l}iVxAr;  We  have 

noiseS)M1+/i2 (NCCrypt.ProtoAdd (Ci,  C2))  <  noiseSiM1(Ci)  +  noiseSjM2(C2) 

Proof.  Let  C+  NCCrypt.ProtoAdd(Ci,  C2).  We  note  that 

C+  •  PowersOfTwo(L  s)  =  Flatten(Ci  +  C2)  •  PowersOfTwo(l,  s) 

=  (Ci  +  C2)  •  PowersOfTwo(l,  s) 

=  Ci  •  PowersOfTwo(l,  s)  +  C2  •  PowersOfTwo(l,  s) 

=  (ei  -F  e2)  +  (hi  -P  /i2)  •  I 

Thus,  by  the  definition  of  noiseSiM1+/i2,  we  have 

noiseSiMl+/i2(C+)  <  noiseSi/il(Ci)  +  noiseSi/,2(C2) 


□ 
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Homomorphic  Multiplication.  This  is  essentially  a  multiplication  of  the  ciphertext  matrices, 
except  that  we  randomize  the  first  ciphertext. 

•  NCCrypt. ProtoMult(eufc,  Ci,  C2): 

—  Randomize  Ci  £  {0,l}ArxW  into  a  matrix  Ci  £  {0,l}iVx'/v  by  replacing  each  row  c  in 
Ci  by  the  row 

c  £-  BitDecomp(Rand(pA;,  Combine(c))) 
where  Rand  is  the  LWE  randomization  procedure  from  Section  2.4. 

-  Output  Cx  <—  Flatten  (Ci  •  C2). 

Jumping  ahead,  we  remark  that  when  we  use  NCCrypt.ProtoMult  in  our  homomorphic  circuit 
evaluation  in  Section  3.3,  the  first  ciphertext  will  be  an  “evaluated  ciphertext”  (namely,  a  result 
of  previous  homomorphic  evaluations),  whereas  the  second  ciphertext  will  be  a  “fresh  ciphertext” 
(namely  an  output  of  the  secret  key  encryption  algorithm). 

The  first  new  idea  in  this  work  is  that  while  the  order  of  the  arguments  does  not  matter  in 
homomorphic  addition,  the  homomorphic  multiplication  algorithm  NCCrypt.ProtoMult  is  inherently 
asymmetric,  since  it  is  essentially  the  (non-commutative)  matrix  multiplication  operation.  This 
asymmetry  turns  out  to  be  the  key  to  achieving  improved  noise  growth,  as  Claim  3.4.2  below  will 
demonstrate. 

Claim  3.4.2  (Noise  Growth  in  NCCrypt.ProtoMult.).  For  every  s  £  Z £  {0,1}  and  Ci  £ 
{0,1}^  and  C2  •(—  NCCrypt. SecEnc(sfc,  H2),  we  have 

noiseSj/il#12(NCCrypt.ProtoMult(Ci,C2))  <  I//2I  •  noiseSi/il  (Ci)  +  dK(aq  ■  n  log  q) 

with  all  but  negligible  probability  over  the  randomness  of  NCCrypt. Keygen,  NCCrypt.SecEnc  and 
NCCrypt.ProtoMult. 


Remark.  In  words,  Claim  3.4.2  says  that  if  H2  £  {0, 1}  (as  will  be  the  case  in  our  homomorphic 
circuit  evaluation  in  Section  3.3),  the  noise  in  Cx  is  at  most  the  noise  in  Ci,  plus  a  fixed  additive 
term.  What’s  more,  if  fi 2  =  0,  then  the  noise  in  Cx  is  independent  of  that  in  Ci!  These  two  facts 
are  the  key  new  ideas  that  enable  our  main  result. 


Proof,  (of  Claim  3.4.2.)  Let  Cx  •(—  NCCrypt. ProtoMult(eufc,  Ci,  C2).  Note  that 


Cx  ■  PowersOfTwo(l,  s) 


Flatten(Ci  •  C2)  •  PowersOfTwo(l,  s) 

Ci  •  (C2  •  PowersOfTwo(l,  s)) 

Ci  •  (e2  +  IJ‘2  •  PowersOfTwo(l,  s)) 

Ci  •  e2  +  jU2  •  Ci  •  PowersOfTwo(l,  s) 

Ci  •  e2  +  H2  ■  (ei  +  Hi  ■  PowersOfTwo(l,  s)) 
(Ci  ■  e2  +  H2  ■  ei)  +  H1T2  ■  PowersOfTwo(l,  s) 


(1) 


Since  e2  <—  D%aq  and  each  row  of  Ci  £  {0,l}ArxAr  is  the  result  of  Rand,  by  Lemma  2.11,  we  have 


Ci  •  e2 


OO 


<  0K(aq  ■  s/n log  q) 


(2) 
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with  all  but  negligible  probability. 
Also,  by  lemma  2.10,  we  have 


lei| 


<  ||ei||  +  0K(aq  ■  y/n\ogq) 


(3) 


with  all  but  negligible  probability. 

Putting  together  Eq.  (1) , (2)  and  (3),  we  have 


noiseSiW/i2(Cx)  < 
which  finishes  the  proof. 


Ci  •  e2 


+  | 1  •  lleiH^  <  \n2\  ■  noiseSiMl(Ci)  +  0K(aq  •  y7 n log q) 


□ 


3.3  Homomorphic  Evaluation  of  Circuits 

We  now  describe  how  to  homomorphically  evaluate  a  Boolean  circuit  T  with  two- input  NAND  gates 
that  takes  t  inputs,  and  has  depth  d.  In  particular,  our  scheme  will  be  able  to  evaluate  circuits 
of  depth  c  •  logn  (for  any  constant  c)  under  a  polynomial  LWE  assumption,  namely  DLWE„i(?)X 
where  x  =  and  a  =  1  /n®(c7  Since  the  depth  of  the  decryption  circuit  is  Cdec  •  log(nlog(g))  < 
2cdec  •  log(n)  (for  some  constant  Cdec  >  0),  the  scheme  is  bootstrappable,  and  by  the  bootstrapping 
theorem  (Theorem  2.14),  we  get  a  leveled  FHE  scheme  under  the  same  assumption. 

To  evaluate  a  circuit,  our  scheme  first  turns  it  into  a  width-5  permutation  branching  pro¬ 
gram  [BDFP86,  Bar89],  a  model  of  computation  that  we  describe  below. 

Width-5  Permutation  Branching  Programs.  A  permutation  branching  program  II  of  length 
L  with  input  space  {0, 1  }l  is  a  sequence  of  L  tuples  of  the  form  (var(i),  oyo,  oyi)  where 

•  var  :  [L]  — >  [£]  is  a  function  that  associates  the  f-th  tuple  with  an  input  bit  xV3r(ty 

•  ayo  and  Uji  are  permutations  on  5  elements.  We  will  think  of  <j3q  and  oyi  as  bijective 
functions  from  the  set  {1,  2, 3, 4,  5}  to  itself. 

The  computation  of  the  program  II  on  input  x  =  (aq, . . . ,  X()  proceeds  as  follows.  The  state  of 
the  computation  at  any  point  in  time  t  is  a  number  Q  E  {1,  2,  3, 4,  5}.  Computation  starts  with  the 
initial  state  Co  =  1-  The  state  Ct  is  computed  recursively  as 

C t  =  <T,var(i)(Ct-l) 

Finally,  after  L  steps,  our  state  is  Cl-  The  output  of  the  computation  is  1  if  Cl  =  1,  and  0  otherwise. 

To  manage  the  growth  of  noise  in  homomorphic  evaluation,  we  need  to  work  with  bits  rather 
than  numbers.  Thus,  we  prefer  to  represent  the  state  Ct  £  {1,  2,  3, 4,  5}  by  a  0-1  vector  v*  which  is 
the  unit  vector  u^t  in  5  dimensions. 

The  computation  then  proceeds  as  follows.  The  idea  is  that  vf  [z]  =  1  if  and  only  if  at  vayy  (Ct— l)  = 
i.  Turning  this  around,  v*[*]  =  1  if  and  only  if  either: 

•  v^i^CoCO]  =  1  and  xvar(t)  =  0;  or 

•  vt-l[°t7l  (*)]  =  1  and  xvar(t)  =  1- 


13 


Approved  for  Public  Release;  Distribution  Unlimited. 

177 


The  following  formula  captures  this  condition.  For  t  =  1, . . . ,  L,  and  i  E  {1,  2,  3, 4,  5},  we  have: 

Vt[»]  :=  v4-l[^7oW]  •  (!  -  *var(t))  +  vt-l  Kq  (*)]  '  Xyar(t) 

=  vt_i[7tiii0]  •  (1  -  xvar(t))  +  vt-i[7t,i,i]  •  xyar{t)  (4) 

where  —  <t7o(®)  and  jt,i,i  —  crt_i(*)  are  constants  that  are  publicly  computable  given  the 

description  of  the  branching  program.  It  is  this  form  that  we  will  work  with  in  our  homomorphic 
evaluation. 

The  important  property  that  we  will  use  is  that  circuits  of  depth  d  can  be  simulated  by  branching 
programs  of  depth  L  =  4rf. 

Theorem  3.5  (Barrington’s  Theorem  [Bar89]).  Every  Boolean  NAND  circuit  T  that  acts  on  l 
inputs  and  has  depth  d  can  be  computed  by  a  width-5  permutation  branching  program  II  of  length 
4d.  Given  the  description  of  the  circuit  'h,  the  description  of  the  branching  program  II  can  be 
computed  in  poly(£,  4rf)  time. 

Homomorphic  Evaluation  NCCrypt.Eva^T,  Ci, . . . ,  C^).  The  homomorphic  evaluation  proce¬ 
dure  will  first  convert  the  depth-d  circuit  T  into  a  width-5  permutation  branching  program  II  of 
length  L  =  4d. 

•  [Initialization]  We  will  maintain  the  encrypted  state  of  the  computation  of  the  branching 
program  for  every  step  t.  We  denote  this  by  Vt  =  (V^q,  Vt,2,  ~Vt,3,  Vjq,  V^),  where  each 
V t [i]  E  {0,l}ArxAr  will  be  an  encryption  of  vj[i]. 

—  We  initialize  the  state  as  follows.  Compute  Vo,*  :=  vo[i]  •  I. 

Note  that  Vo,*  is  in  fact  a  valid  encryption  of  the  bit  vo[i]  with  zero  noise. 

—  We  also  compute  encryptions  of  the  complements  of  the  input  bits,  for  convenience. 
That  is,  set  C*,  :=  I  —  C^.  Note  that  C/i;  is  an  encryption  of  =  1  —  with  the  same 
noise  as  Cj,. 

•  [Evaluation]  The  evaluation  proceeds  iteratively  for  t  =  1 , ,L,  where  L  is  the  length  of 
the  branching  program  II.  Assuming  that  we  have  Vt_i  :=  (Vt_iq,  Vt_i,2, . . . ,  Vt_i,5) ,  the 
encryption  of  the  state  of  the  branching  program  computation  at  time  t  —  1,  we  compute 
V*  :=  (Vt)1,Vt)2,...,Vti5)  by  homomorphically  evaluating  Eq.  (4)  above. 

That  is,  for  i  E  {1,  2,  3, 4,  5},  we  compute 

Vt,i  '■=  NCCrypt.ProtoAdd  ^NCCrypt.ProtoMult(Vi_ii70,Cvar(i)) ,  (5) 

NCCrypt.ProtoMult(Vi_i)7l,CvarW)^  (6) 

•  [Output]  Upon  finishing  the  evaluation  stage,  we  have  Vl  :=  (V q,q,  V l,2,  ■  •  ■ ,  V l$).  Output 
V l  1  as  the  result  of  the  homomorphic  evaluation. 

We  now  show  that  the  scheme  correctly  evaluates  circuits. 
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Lemma  3.6  (Correctness  of  Homomorphic  Evaluation).  Let  n  be  the  LWE  dimension,  q  the  LWE 
modulus,  4'  be  any  Boolean  circuit  of  depth  d,  and 


a  <  l/0K(4d  ■  y7 n log  q) 

For  every  x\,...,X£  G  {0,1},  every  Boolean  circuit  $  of  depth  at  most  d,  and  every  secret  key 
sk,  letting  G-  NCCrypt.SecEnc(s/c,  Xk)  be  the  secret  key  encryptions  of  the  inputs,  and  G- 
NCCrypt.Eval(euA\  T,  Ci, . . . ,  Cfc)  be  the  evaluated  ciphertext,  we  have: 

NCCrypt.Dec(s/c,  C^)  =  4>(xi, . . .  ,X() 

with  overwhelming  probability  over  the  coin  tosses  of  all  the  algorithms.  NCCrypt.Eval  runs  in  time 
poly(4rf,  t,  n,  log  q). 

Note  that  we  stated  the  correctness  of  homomorphic  evaluation  on  ciphertexts  produced  by 
the  secret-key  encryption  algorithm  NCCrypt.SecEnc.  A  similar  lemma  can  be  shown  in  the  case 
of  public-key  encryption,  if  a  is  smaller  by  a  factor  of  yfn  log  q.  However,  in  our  “optimal  FHE” 
scheme  in  Section  4,  we  will  only  need  to  invoke  this  lemma  with  secret-key  encryption. 

Proof.  It  is  easy  to  see  that  each  step  of  the  homomorphic  evaluation  algorithm,  given  by  Eq.  (5), 
simulates  the  execution  of  the  branching  program,  given  by  Eq.  (4).  It  remains  to  bound  the  noise 
growth  during  NCCrypt.Eval.  We  show  this  by  induction. 

In  the  sequel,  we  will  abbreviate  the  noise  function  noises,M(C)  to  noise(C)  since  the  secret  key 
is  fixed  throughout  the  evaluation,  and  the  message  //  is  clear  from  the  context. 

Clearly,  noise(Vo,,)  =  0,  since  they  Vo,,:  are  just  the  messages,  with  no  noise.  Assume,  as  the 
inductive  hypothesis,  that  for  all  i  G  {1,  2,  3, 4,  5}, 

noise(Vt_i,j)  =  (t  -  1)  •  dK(aq  ■  \J n  log  q) 

We  will  now  bound  noise(Vt7)  for  all  i  G  {1,2,  3, 4,  5}.  Note  that 

noise(Vt,,)  <  noise^NCCrypt.ProtoMult(Vt_i,70,  Cvar(t))^  +  noise ^NCCrypt. ProtoMult(Vt_ii71,  Cvar 

<  |1  -  xvar(t)|  •  noise(Vi_i,70)  +  |xvar(t)|  •  noise(Vt_ij7l)  +  0K(aq  •  y/nlogq) 

where  the  second  inequality  holds  by  Claim  3.4.2  since  all  the  ciphertexts  encrypt  bits,  Cvarp)  is  a 
fresh  secret-key  encryption,  and  Cvar(t)  contains  exactly  the  same  noise  as  Cvar(tp 
Since  exactly  one  of  xvarp)  and  1  —  xvar(u  is  non-zero,  we  have 

noise (Vt,,)  <  max(noise(Vt_ij70),  noise(Vt_i,71))  +  dK(aq  ■  yj n  log  q) 

<  t  ■  0K(aq  ■  yj n  log  q) 

by  the  inductive  hypothesis. 

Thus,  in  particular, 

noise(V^,)  =  noise(Vi,i)  <  4d  •  0K(aq  ■  \J n log  q)  <  q/8 
by  our  setting  of  the  parameter  a.  □ 
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3.4  Achieving  Fully  Homomorphic  Encryption 

We  know  by  Lemma  3.4  that  the  depth  of  the  decryption  circuit  of  NCCrypt  is  Cdec  •  log(nlogg)  = 
Cdec  log  N  for  some  constant  Cdec  >  0.  Setting  the  depth  d  =  clog  A  for  some  constant  c  >  Cdec 
in  Lemma  3.6  and  a  <  l/0K(4d  ■  y/n logq)  gives  us  a  bootstrappable  encryption  scheme.  By  the 
bootstrapping  theorem  (Theorem  2.14),  this  can  be  turned  into  a  leveled  FHE  scheme,  without 
additional  assumptions.  We  state  this  theorem  below: 

Theorem  3.7.  Let  n  be  the  LWE  dimension,  q  be  the  LWE  modulus,  N  :=  (n  +  1)  •  ["logg], 
and  let  c  >  Cdec  be  a  large  enough  constant  (where  Cdec  is  the  decryption  depth  constant  from 
Proposition  3-4),  and 

a  <  1/ 0K((n  log  q)2c+1/2) 

Then,  there  is  a  leveled  FHE  scheme  that  is  secure  under  the  decisional  LWE  assumption  DLWEn.q]Q. 

In  the  next  section,  we  will  use  a  variant  of  the  dimension- modulus  reduction  of  [BY  1 1] ,  the 
effect  of  which  will  be  to  reduce  the  constant  c  above  to  a  very  small  e  — >  0,  thus  achieving  a  value 
of  a  that  matches  the  best  known  lattice-based  PKE  schemes. 


4  Successive  Dimension-Modulus  Reduction 

In  this  section  we  revisit  the  dimension- modulus  reduction  technique  from  [BV11]  and  show  that 
by  successive  application  of  this  technique,  we  can  achieve  comparable  lattice  approximation  factor 
to  the  best  known  factor  for  public  key  encryption. 

We  start  by  revisiting  [BVll]’s  dimension-modulus  reduction  in  Section  4.1,  and  then  proceed  in 
Section  4.2  to  present  a  bootstrappable  homomorphic  encryption  scheme  that  is  based  on  0(n1+e  • 
yj n  log(g)  (-approximate  GapSVP. 


4.1  Dimension-Modulus  Reduction  (Revisited) 

In  the  functions  below,  q  is  an  integer  and  x  is  a  distribution  over  Z: 

•  Switch KeyGen(y:p  (s,  t):  For  a  “source”  key  s  e  Z71s  and  “target”  key  t  e  Znt,  we  define  a  set  of 
parameters  that  allow  to  switch  ciphertexts  under  s  into  ciphertexts  under  (l,t). 

Let  ns  =  ns  ■  [ log q\  be  the  dimension  of  PowersOfTwofi(s).  Sample  a  uniform  matrix  As:t  G- 
jnBxnt  anc[  a  noiSe  vector  es;t  <—  xHs ■  The  function’s  output  is  a  matrix 

Ps:t  =  [bs:t ||  —  As:t]  G  jnsx{nt+l)  ? 


where 


bst  ■ — 


Ls:t 


t  +  es;t  +  L (p/q)  ■  PowersOfTwOq(s)] 


G 


jp 


Here,  ['Ig  Gaussian  rounding  procedure  from  Corollary  2.1. 

•  Switch  Key  ?(Ps;t,  c,s):  To  switch  a  source  ciphertext  cs  €  Z™3  from  a  secret  key  s  to  (1,  t),  output 

ct-=  [PL  '  BitDecomp9(cs)]p  G  Z”t+1  . 
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Lemma  4.1  (correctness).  Let  s  £  Z",  t  6  be  some  vectors.  Let  x  be  the  discrete  Gaussian 
Dz,ap,  and  let  Ps:c*— Switch  KeyGeng:px(s,  t)  and  Prand^—  RandPararri£>z ^  (s).  Let  cs  G  Zg  and  let 
c's<r-Rand(Prand,cs).  Finally,  set  ct<—  SwitchKey(Ps:t,  c's).  Then  there  exists  5  such  that 

C p/q )  ■  (cs,s)-5  =  (ct,(l,t))  (mod  p)  , 

and  |(5|  <  0K{^Jn log(g))  •  ap  with  all  but  negl(ft)  probability  (over  the  coins  in  the  experiment,  and 
regardless  of  the  generation  of  s,t,csj. 

Proof.  We  expand  the  expression  for  ( ct ,  (1,  t)) : 

(c t,  (1,  t)>  =  (P^t  •  BitDecompg(c'J,  (1,  t)> 

=  (BitDecompg(c(,),Ps;t  •  (1, t)) 

=  (BitDecompg(c(,),  es:t  +  [{p/q)  •  Powers0tTwOq(s)~|G)  . 

It  follows  that  6  =  hi  +  82  where 

61  =  (BitDecompg(c(,),es:t)  , 

which,  by  Lemma  2.11,  is  bounded  by  |<5i|  <  0K{^/n log {q))ap  with  all  but  negl(ft)  probability;  and 

d2  =  (BitDecompg(c's),  [{p/q)  ■  PowersOfTwog(s)lG  >  -  (p/q)  ■  (c',s) 

=  (BitDecompg(c's),  [(p/q)  ■  PowersOfTwog(s)]G  —  (p/q)  ■  PowersOfTwog(s))  . 

Applying  Lemma  2.11,  we  get  that  | <^2 1  <  0K{yfn  log {q))  with  all  but  negl(ft)  probability.  □ 

Security  follows  in  a  straightforward  manner,  the  proof  is  omitted. 

Lemma  4.2  (security).  Lets  E  Zns  be  any  vector.  If  we  generate  t  Z^  and  P«—  Switch  KeyGeng:px(s 

then  P  is  computationally  indistinguishable  from  uniform  over  7jpsX^nt+1\  assuming  the  decisional 
LWE  assumption  DLWEfc,PiX. 

4.2  A  Bootstrappable  Scheme 

Let  q  :  N  — >  N  be  a  monotone  function  such  that  q(n )  <  2n  for  all  n,  and  a  :  N  — >  M.  Let  x{n) 
denote  the  discrete  Gaussian  distribution  Di  a^q^ny  Finally,  let  e  >  0. 

The  typical  value  of  a{n)  will  be  \/On{\Jn  log(r/)  •  ne ),  where  k  is  the  security  parameter.  As 
to  the  function  q{n),  we  will  be  interested  in  two  ranges  of  parameters:  In  the  first  we  will  set 
q{n )  such  that  a{n)  ■  q{n)  &  y/n  (i.e.  we  set  q  such  that  q(n)  =  O K{n1+t ^J\og{q)) .  This  is  the 
minimal  q  that  allows  to  apply  worst-case  to  average-case  reductions  for  LWE.  The  second  case  is 
where  q{n)  =  2n/2,  which  is  the  minimal  q  that  allows  to  apply  classical  worst-case  to  average  case 
reductions  to  the  GapSVP  problem. 

The  scheme  DimReduced  is  defined  as  follows. 
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•  DimReduced. Keygen(lfc):  Define  n  =  (fclog(g(A;)))2cdec/e  (namely,  ne  =  4Cdec'log(fe Iog(^(fc))) ) ,  where 
Cdec  is  as  in  Proposition  3.4.  Assume  for  convenience  that  n  =  A/1+€)  for  some  L  E  N  (otherwise 
round  n  to  the  next  power  up).  Further  define  ki  =  £/1+e)\  so  ko  =  k  and  kk  =  n ,  and  define 
q,  =  q(ki).  For  convenience  we  denote  p  =  go- 

Let  (ncsk,  ncevk,  ncpk)-^NCCrypt.Keygen(ln, g(?r), 4Cdec'logifclogi9ifciii+1).  Define  =  ncsk  €  Z ” 
For  all  i  =  0, . . . ,  L  —  1,  sample  s,  E-  . 

Next,  we  generate  dimension-modulus  switching  parameters  (see  Section  4.1),  and  randomization 
parameters  (see  Section  2.4)  for  all  i  E  [L\: 

pi:(i-i)<-SwitchKeyGeng..5._1((l,  s*),  s,_i)  , 


and 

Prand.i^RandParam/^  a(fc ,)q. (s <)  . 

Finally,  output  the  keys  sk  =  (s0,sL),  pk  =  ncpk,  evk  =  (ncevk,  ,  {Prand,i}je[L])- 

We  note  that  as  e  approaches  0,  n  =  becomes  larger.  If  k  is  proportional  to  the  security 

parameter,  then  e  must  be  bounded  by  a  constant  to  keep  n  polynomially  bounded.  We  further 
note  that  L  =  0(log(l/e)/e). 

•  DimReduced.PubEncp/c(^)  /  DimReduced.SecEncsfc(/x):  The  asymmetric  and  symmetric  encryp¬ 
tion  procedures  are  identical  to  NCCrypt.  Since  Dim  Reduced's  public  key  and  secret  key  contain 
those  of  NCCrypt,  this  can  be  done  in  a  straightforward  manner. 

•  DimReduced.Evale^/c(/,  Ci, . . . ,  C():  To  perform  homomorphic  evaluation,  we  first  compute 

C/4-NCCrypt.Evalncevk(/,  Ci, . . . ,  Ct)  . 


We  then  consider  Cf  e  {0,  f}nriog(9i)l  5  which  is  the  second  row  of  C/.  We  set  Ci:=Combinegi  (cj). 

We  then  compute,  in  order  for  i  =  L  —  1, . . ,,  0,  the  ciphertexts  crand,i+i<—  Rand(Prantj,i+i,  Cj+i), 
and  then  Cjl—  SwitchKey(P(j+1).j,  crand  j+i).  Finally,  cq  G  T,kp  is  output  as  the  final  ciphertext. 


•  DimReduced.DeCsfc(c):  We  recall  that  c  G  Zp.  We  output  p* 
p*  =  1  otherwise. 


0  if 


[(<b(Mo)}]p 


<  p/8,  and 


Security  is  stated  in  the  next  lemma  and  follows  immediately  using  a  hybrid  argument  and  using 
the  security  properties  of  the  scheme  NCCrypt,  the  ciphertext  randomization  procedure  (Lemma  2.9) 
and  the  dimension- modulus  reduction  procedure  (Lemma  4.2).  The  formal  proof  is  omitted. 

Lemma  4.3.  The  scheme  DimReduced  is  secure  under  the  D\N\IEk  q^  a^  assumption. 

Correctness  poses  a  more  challenging  task.  We  want  to  prove  that  DimReduced  can  homomorphi- 
cally  evaluate  an  augmented  decryption  circuit.  Proving  this  when  a(n)  is  small  (e.g.  a(n )  =  1/n3) 
is  fairly  easy.  However,  since  we  wish  to  achieve  optimal  parameters,  the  analysis  is  more  involved 
and  appears  in  the  following  lemma. 

We  define  r  =  2riog('?r)l~2/gL  and  notice  that  r  G  (1/4, 1/2]. 
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Lemma  4.4.  Let  a(n )  =  1  /0K(y/n log (q)  ■  ne),  and  let  q(n )  >  0(y/n/a(n)).  Consider  a  set 
of  keys  generated  by  (sk,pk,  eu/c)-f-DimReduced.Keygen(lA),  and  recall  that  sk  =  (so,s l).  Let 
DimReduced.SecEncsfc(BitDecomp(so)[i]).  Namely,  K,  is  the  symmetric  encryption  of  the  ith 
bit  of  So- 

Let  f  be  an  augmented  decryption  circuit  as  per  Definition  2.13.  Namely,  let  c,c'  £  iff  and 
p,  p'  £  {0, 1}  be  such  that 

[<C,  so)]p  =  p-rp  +  e  , 

where  |e|  <  p/8,  and  similarly  for  cl .  The  function  f  is  the  function  that  on  input  x,  treats  x  as  a 
secret  key  and  decrypts  c,c' ,  and  outputs  the  NAND  of  their  decryptions. 

Let 

co^—  DimReduced.Evale^(/,  Ki,  K2, . . .)  , 

and  note  that  this  is  syntactically  well  defined  since  f  can  be  represented  as  a  Boolean  circuit  of 
depth  cdec  •  \og(klog(q(k)))  +  1. 

Then  with  all  but  negl(/«)  probability, 

[(co,so)]p  =  p*  •  rp  +  ef  , 

where  p*  =  (p  A  p'),  \ef\  <  p/8  are  as  above. 

Proof.  Consider  the  process  of  execution  of  DimReduced.Evale^fc(/,  Ki,  K2, . . .).  It  starts  by  gener¬ 
ating  ci,  where  we  are  guaranteed  by  the  correctness  of  NCCrypt  that 

[(cl,  sL)]?i  =  p*  ■  rqL  +  eL  , 

where 

|ex,|  /qL  <  Ok(\J n\og(qL)  ■  4Cdec'los(fcl°s^(C))+i)Q,(n)  =  (JK{ne  ■  y/n log (qL))  ■  a(n)  , 

and  we  will  set  a(n)  =  1  /{y/n log(g)  •  nepolylog(K))  with  sufficiently  large  polylogarithmic  factor 
to  offset  the  one  coming  from  the  noise  so  that 

|cl|  /qL  <  l/polylog(/«)  . 

We  then  commence  with  L  =  0(1)  levels  of  randomization  followed  by  modulus-dimension 
reduction.  Let  us  consider  the  effect  of  these  operations  at  level  i. 

Lemma  2.10  guarantees  that  in  the  randomization  step,  the  relative  noise  grows  by  an  additive 
factor  of  at  most  ()K ( y/k%  log((/*) )  •  a{kf)  =  k~e  ■  0K(l)/polylog(ft).  Again,  the  idea  is  to  define  a 
with  sufficiently  large  polylogarithmic  factor  to  offset  those  coming  from  O, t(-). 

Lemma  4.1  guarantees  that  in  the  key  switching  step,  the  relative  noise  grows  by  an  additive 
factor  of  0K(y/ki  log (%))  •  a(ki- 1).  We  recall  that  kz  =  k/fff  and  that  q(n)  <  2n.  Therefore 

y/kilog(qi)  <  yj (ki- 1  log(<7i_i))1+,:  <  yj log(g,_i))  •  k^_x  . 

Therefore,  setting  the  polylogarithmic  factors  right,  we  get  an  additive  relative  error  of  at  most 
l/polylog(re). 

Putting  all  of  these  together,  we  get  that 

|e/|  <  L/ polylog(K)  <  p/8  , 

and  the  result  follows.  □ 
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Finally,  we  derive  the  worst-case  lattice  approximation  factor  based  on  Corollary  2.6.  We  recall 
that  a  bootstrappable  homomorphic  encryption  scheme  implies  a  leveled  FHE  scheme  under  the 
same  assumptions,  and  a  pure  FHE  scheme  with  an  additional  circular  security  assumption. 

Corollary  4.5.  For  all  e  >  0,  there  exist: 

•  A  bootstrappable  homomorphic  encryption  scheme  based  on  the  worst-case  quantum  hardness 
of  solving  GapSVPQ(nl.5+e)  and  SIVP5(nl.5+e) . 

•  A  bootstrappable  homomorphic  encryption  scheme  based  on  the  worst-case  classical  hardness 
of  solving  GapSVP5(n2+e) . 

The  first  (quantum)  case  is  derived  from  Lemma  4.4  by  setting  q(n)  =  \Jn/a.{n)  =  poly(n),  and 
the  second  (classical)  case  is  derived  by  setting  q(n)  =  2n/2. 

Improving  Key  and  Ciphertext  sizes.  The  scheme  DimReduced  uses  a  ladder  of  LWE  in¬ 
stances,  ranging  from  short  (k,p)  to  polynomially  larger  (n,  q).  In  the  description  above,  the  public 
key  of  the  scheme  is  derived  from  that  of  NCCrypt,  and  therefore  depends  on  n  and  not  on  k. 
Likewise,  the  “input  ciphertexts”  (the  ones  before  homomorphic  evaluation)  also  depend  on  n. 

We  note  here  that  this  can  be  fixed  in  such  a  way  that  only  the  evk  depends  on  n,  and  the  rest 
of  the  parameters  are  exactly  the  same  as  Regev’s  scheme  with  parameters  ( k,p ).  This  is  done  in 
a  standard  way  (used  e.g.  in  [BV11])  as  follows. 

We  will  generate  the  public  key  as  a  standard  Regev  public  key  with  parameters  ( k,p ),  and 
in  the  evaluation  key  we  will  encrypt  the  bits  of  the  respective  secret  key  using  NCCrypt.  This 
will  allow  to  perform  homomorphic  operations  by  evaluating  the  augmented  decryption  circuit. 
Namely,  the  ciphertexts  visible  to  the  user  of  the  scheme  will  always  be  short,  but  in  the  process  of 
homomorphic  evaluation,  larger  ciphertexts  are  used  to  accommodate  the  homomorphic  operation, 
and  once  it  is  done  dimension-modulus  reduction  will  be  used  to  shrink  the  output  ciphertext  back 
to  the  original  size.  Since  this  is  standard  practice,  we  omit  the  technical  description. 
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Machine  Learning  Classification  over  Encrypted  Data 
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Abstract 

Machine  learning  classification  is  used  in  numerous  settings  nowadays,  such  as  medical  or  genomics  predictions, 
spam  detection,  face  recognition,  and  financial  predictions.  Due  to  privacy  concerns,  in  some  of  these  applications,  it  is 
important  that  the  data  and  the  classifier  remain  confidential. 

In  this  work,  we  construct  three  major  classification  protocols  that  satisfy  this  privacy  constraint:  hyperplane 
decision,  Naive  Bayes,  and  decision  trees.  We  also  enable  these  protocols  to  be  combined  with  AdaBoost.  At  the  basis 
of  these  constructions  is  a  new  library  of  building  blocks  for  constructing  classifiers  securely;  we  demonstrate  that  this 
library  can  be  used  to  construct  other  classifiers  as  well,  such  as  a  multiplexer  and  a  face  detection  classifier. 

We  implemented  and  evaluated  our  library  and  classifiers.  Our  protocols  are  efficient,  taking  milliseconds  to  a  few 
seconds  to  perform  a  classification  when  running  on  real  medical  datasets. 


1  Introduction 

Classifiers  are  an  invaluable  tool  for  many  tasks  today,  such  as  medical  or  genomics  predictions,  spam  detection,  face 
recognition,  and  finance.  Many  of  these  applications  handle  sensitive  data  [WGH12,  SG11,  SG13],  so  it  is  important 
that  the  data  and  the  classifier  remain  private. 

Consider  the  typical  setup  of  supervised  learning,  depicted  in  Figure  .  Supervised  learning  algorithms  consist  of 
two  phases:  (i)  the  training  phase  during  which  the  algorithm  learns  a  model  w  from  a  data  set  of  labeled  examples, 
and  (ii)  the  classification  phase  that  runs  a  classifier  C  over  a  previously  unseen  feature  vector  x,  using  the  model  w  to 
output  a  prediction  C(x,  w). 

In  applications  that  handle  sensitive  data,  it  is  important  that  the  feature  vector  x  and  the  model  w  remain  secret  to 
one  or  some  of  the  parties  involved.  Consider  the  example  of  a  medical  study  or  a  hospital  having  a  model  built  out  of 
the  private  medical  profiles  of  some  patients;  the  model  is  sensitive  because  it  can  leak  information  about  the  patients, 
and  its  usage  has  to  be  HIPAA  compliant.  A  client  wants  to  use  the  model  to  make  a  prediction  about  her  health  (e.g., 
if  she  is  likely  to  contract  a  certain  disease,  or  if  she  would  be  treated  successfully  at  the  hospital),  but  does  not  want 
to  reveal  her  sensitive  medical  profile.  Ideally,  the  hospital  and  the  client  run  a  protocol  at  the  end  of  which  the  client 
learns  one  bit  (“yes/no”),  and  neither  party  leams  anything  else  about  the  other  party’s  input.  A  similar  setting  arises  for 
a  financial  institution  (e.g.,  an  insurance  company)  holding  a  sensitive  model,  and  a  customer  wanting  to  estimate  rates 
or  quality  of  service  based  on  her  personal  information. 

Throughout  this  paper,  we  refer  to  this  goal  shortly  as  privacy -preserving  classification.  Concretely,  a  client  has  a 
private  input  represented  as  a  feature  vector  x,  and  the  server  has  a  private  input  consisting  of  a  private  model  w.  The  way 
the  model  w  is  obtained  is  independent  of  our  protocols  here.  For  example,  the  server  could  have  computed  the  model 
w  after  running  the  training  phase  on  plaintext  data  as  usual.  Only  the  classification  needs  to  be  privacy-preserving:  the 
client  should  learn  C(x,  w)  but  nothing  else  about  the  model  w,  while  the  server  should  not  learn  anything  about  the 
client’s  input  or  the  classification  result. 

*Direction  Generate  de  FArmement  -  Maitrise  de  Flnformation.  Work  done  white  visiting  MIT  CSAIL.  The  views  and  conclusions  contained 
herein  are  those  of  the  author  and  should  not  be  interpreted  as  necessarily  representing  the  official  policies  or  endorsements,  either  expressed  or 
implied,  of  the  DGA  or  the  French  Government. 
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Figure  1:  Model  overview.  Each  shaded  box  indicates  private  data  that  should  be  accessible  to  only  one  party:  the 
dataset  and  the  model  to  the  server,  and  the  input  and  prediction  result  to  the  client.  Each  straight  non-dashed  rectangle 
indicates  an  algorithm,  single  arrows  indicate  inputs  to  these  algorithms,  and  double  arrows  indicate  outputs. 


Machine  learning  algorithm 

Perceptron 

Least  squares 

Fischer  linear  discriminant 

Support  vector  machine 

Naive  Bayes 

Decision  trees  (ID3/C4.5) 


Classifier 

Hyperplane  decision 
Hyperplane  decision 
Hyperplane  decision 
Hyperplane  decision 
Naive  Bayes 
Decision  trees 


Table  1:  Machine  learning  algorithms  and  their  classifiers,  defined  in  Section  3.1. 

In  this  work,  we  construct  efficient  privacy-preserving  protocols  for  three  of  the  most  common  classifiers:  hyperplane 
decision.  Naive  Bayes,  and  decision  trees,  as  well  as  a  more  general  classifier  combining  these  using  AdaBoost.  These 
classifiers  are  widely  used  -  even  though  there  are  many  machine  learning  algorithms,  most  of  them  end  up  using  one 
of  these  three  classifiers,  as  described  in  Table  1 . 

While  generic  secure  multi-party  computation  [Yao82,  GMW87,  HKS+10,  MNPS04,  BDNP08]  can  implement 
any  classifier  in  principle,  due  to  their  generality,  such  schemes  are  not  efficient  for  common  classifiers.  As  described  in 
Section  0.5,  on  a  small  classification  instance,  such  tools  ([HKS+10,  BDNP08])  ran  out  of  memory  on  a  powerful 
machine  with  256GB  of  RAM;  also,  on  an  artificially  simplified  classification  instance,  these  protocols  ran  «  500  times 
slower  than  our  protocols  ran  on  the  non-simplified  instance. 

Hence,  protocols  specialized  to  the  classification  problem  promise  better  performance.  However,  most  existing  work 
in  machine  learning  and  privacy  [LP00,  DHC04,  WY04,  ZW05,  BDMN05,  VKC08,  GLN12]  focuses  on  preserving 
privacy  during  the  training  phase,  and  does  not  address  classification.  The  few  works  on  privacy-preserving  classification 
either  consider  a  weaker  security  setting  in  which  the  client  learns  the  model  [BLN  13]  or  focus  on  specific  classifiers 
(e.g.,  face  detectors  [EFG  1  09,  SSW09,  AB06,  AB07])  that  are  useful  in  limited  situations. 

Designing  efficient  privacy -preserving  classification  faces  two  main  challenges.  The  first  is  that  the  computation 
performed  over  sensitive  data  by  some  classifiers  is  quite  complex  (e.g.,  decision  trees),  making  it  hard  to  support 
efficiently.  The  second  is  providing  a  solution  that  is  more  generic  than  the  three  classifiers:  constructing  a  separate 
solution  for  each  classifier  does  not  provide  insight  into  how  to  combine  these  classifiers  or  how  to  construct  other 
classifiers.  Even  though  we  contribute  privacy-preserving  protocols  for  three  of  the  most  common  classifiers,  various 
settings  use  other  classifiers  or  use  a  combination  of  these  three  classifiers  (e.g.,  AdaBoost).  We  address  these  challenges 
using  two  key  techniques. 

Our  main  technique  is  to  identify  a  set  of  core  operations  over  encrypted  data  that  underlie  many  classification 
protocols.  We  found  these  operations  to  be  comparison,  argmax,  and  dot  product.  We  use  efficient  protocols  for  each 
one  of  these,  either  by  improving  existing  schemes  (e.g.,  for  comparison)  or  by  constructing  new  schemes  (e.g.,  for 
argmax). 

Our  second  technique  is  to  design  these  building  blocks  in  a  composable  way,  with  regard  to  both  functionality  and 
security.  To  achieve  this  goal,  we  use  a  set  of  sub-techniques: 

•  The  input  and  output  of  all  our  building  blocks  are  data  encrypted  with  additively  homomorphic  encryption.  In 
addition,  we  provide  a  mechanism  to  switch  from  one  encryption  scheme  to  another.  Intuitively,  this  enables  a 
building  block’s  output  to  become  the  input  of  another  building  block; 

•  The  API  of  these  building  blocks  is  flexible:  even  though  each  building  block  computes  a  fixed  function,  it  allows 
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a  choice  of  which  party  provides  the  inputs  to  the  protocol,  which  party  obtains  the  output  of  the  computation, 
and  whether  the  output  is  encrypted  or  decrypted; 

•  The  security  of  these  protocols  composes  using  modular  sequential  composition  [Can98]. 

We  emphasize  that  the  contribution  of  our  building  blocks  library  goes  beyond  the  classifiers  we  build  in  this  paper: 
a  user  of  the  library  can  construct  other  privacy-preserving  classifiers  in  a  modular  fashion.  To  demonstrate  this  point, 
we  use  our  building  blocks  to  construct  a  multiplexer  and  a  classifier  for  face  detection,  as  well  as  to  combine  our 
classifiers  using  AdaBoost. 

We  then  use  these  building  blocks  to  construct  novel  privacy-preserving  protocols  for  three  common  classifiers. 
Some  of  these  classifiers  incorporate  additional  techniques,  such  as  an  efficient  evaluation  of  a  decision  tree  with  fully 
homomorphic  encryption  (FHE)  based  on  a  polynomial  representation  requiring  only  a  small  number  of  multiplications 
and  based  on  SIMD  FHE  slots  (see  Section  7.2).  All  of  our  protocols  are  secure  against  passive  adversaries  (see 
Section  3.2.3). 

We  also  provide  an  implementation  and  an  evaluation  of  our  building  blocks  and  classifiers.  We  evaluate  our 
classifiers  on  real  datasets  with  private  data  about  breast  cancer,  credit  card  approval,  audiology,  and  nursery  data;  our 
algorithms  are  efficient,  running  in  milliseconds  up  to  a  few  seconds,  and  consume  a  modest  amount  of  bandwidth. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  describes  related  work,  Section  3  provide  the  necessary 
machine  learning  and  cryptographic  background,  Section  4  presents  our  building  blocks.  Sections  5-8  describe  our 
classifiers,  and  Sections  9-10  present  our  implementation  and  evaluation  results. 

2  Related  work 

Our  work  is  the  first  to  provide  efficient  privacy-preserving  protocols  for  a  broad  class  of  classifiers. 

Secure  two-party  computation  protocols  for  generic  functions  exist  in  theory  [Yao82,  GMW87,  LP07,  IPS08,  LP09] 
and  in  practice  [HKS+10,  MNPS04,  BDNP08].  However,  these  rely  on  heavy  cryptographic  machinery,  and  applying 
them  directly  to  our  problem  setting  would  be  too  inefficient  as  exemplified  in  Section  10.5. 

Previous  work  focusing  on  privacy-preserving  machine  learning  can  be  broadly  divided  into  two  categories:  (i) 
techniques  for  privacy-preserving  training,  and  (ii)  techniques  for  privacy-preserving  classification  (recall  the  distinction 
from  Figure  ).  Most  existing  work  falls  in  the  first  category,  which  we  discuss  in  Section  2.1.  Our  work  falls  in  the 
second  category,  where  little  work  has  been  done,  as  we  discuss  in  Section  2.2.  We  also  mention  work  related  to  the 
building  blocks  we  use  in  our  protocols  in  Section  2.3. 

It  is  worth  mentioning  that  our  work  on  privacy-preserving  classification  is  complementary  to  work  on  differential 
privacy  in  the  machine  learning  community  (see  e.g.  [CMS1 1]).  Our  work  aims  to  hide  each  user’s  input  data  to  the 
classification  phase,  whereas  differential  privacy  seeks  to  construct  classifiers/models  from  sensitive  user  training  data 
that  leak  a  bounded  amount  of  information  about  each  individual  in  the  training  data  set. 

2.1  Privacy-preserving  training 

A  set  of  techniques  have  been  developed  for  privacy-preserving  training  algorithms  such  as  Naive  Bayes  [VKC08, 
WY04,  ZW05],  decision  trees  [BDMN05,  LP00],  linear  discriminant  classifiers  [DHC04],  and  more  general  kernel 
methods  [LLM06], 

Grapel  et  al.  [GLN12]  show  how  to  train  several  machine  learning  classifiers  using  a  somewhat  homomorphic 
encryption  scheme.  They  focus  on  a  few  simple  classifiers  (e.g.  the  linear  means  classifier),  and  do  not  elaborate  on  more 
complex  algorithms  such  as  support  vector  machines.  They  also  support  private  classification,  but  in  a  weaker  security 
model  where  the  client  learns  more  about  the  model  than  just  the  final  sign  of  the  classification.  Indeed,  performing 
the  final  comparison  with  fully  homomorphic  encryption  (FHE)  alone  is  inefficient,  a  difficulty  we  overcome  with  an 
interactive  setting. 


3 


Approved  for  Public  Release;  Distribution  Unlimited. 
188 


2.2  Privacy-preserving  classification 

Little  work  has  been  done  to  address  the  general  problem  of  privacy-preserving  classification  in  practice;  previous  work 
focuses  on  a  weaker  security  setting  (in  which  the  client  learns  the  model)  and/or  only  supports  specific  classifiers. 

In  Bos  et  al.  [BLN13],  a  third  party  can  compute  medical  prediction  functions  over  the  encrypted  data  of  a  patient 
using  fully  homomorphic  encryption.  In  their  setting,  everyone  (including  the  patient)  knows  the  predictive  model,  and 
their  algorithm  hides  only  the  input  of  the  patient  from  the  cloud.  Our  protocols,  on  the  other  hand,  also  hide  the  model 
from  the  patient.  Their  algorithms  cannot  be  applied  to  our  setting  because  they  leak  more  information  than  just  the  bit 
of  the  prediction  to  the  patient.  Furthermore,  our  techniques  are  notably  different;  using  FHE  directly  for  our  classifiers 
would  result  in  significant  overheads. 

Barni  et  al.  [BFK+09,  BFL  1  09]  construct  secure  evaluation  of  linear  branching  programs,  which  they  use  to 
implement  a  secure  classifier  of  ECG  signals.  Their  technique  is  based  on  finely-tuned  garbled  circuits.  By  comparison, 
our  construction  is  not  limited  to  branching  programs  (or  decision  trees),  and  our  evaluation  shows  that  our  construction 
is  twice  as  fast  on  branching  programs.  In  a  subsequent  work  [BFL+ 11],  Barni  et  al.  study  secure  classifiers  based  on 
neural  networks,  which  is  a  generalization  of  the  perceptron  classifiers,  and  hence  also  covered  by  our  work. 

Other  works  [EFG+09,  SSW09,  AB06,  AB07]  construct  specific  face  recognition  or  detection  classifiers.  We  focus 
on  providing  a  set  of  generic  classifiers  and  building  blocks  to  construct  more  complex  classifiers.  In  Section  10. 1 .2,  we 
show  how  to  construct  a  private  face  detection  classifier  using  the  modularity  of  our  techniques. 

2.3  Work  related  to  our  building  blocks 

Two  of  the  basic  components  we  use  are  private  comparison  and  private  computation  of  dot  products.  These  items  have 
been  well-studied  previously;  see  [Yao82,  DGK07,  DGK09,  Veul  1,  LT05,  AB06,  KSS09]  for  comparison  techniques 
and  [AD01,  GLLM04,  Kil05,  AB06]  for  techniques  to  compute  dot  products.  Section  4.1  discusses  how  we  build  on 
these  tools. 

3  Background  and  preliminaries 

3.1  Classification  in  machine  learning  algorithms 

The  user’s  input  £  is  a  vector  of  d  elements  x  =  (xi, . . . ,  Xd)  €  Rd,  called  a  feature  vector.  To  classify  the  input  x  means 
to  evaluate  a  classification  function  Cw  :  i— >■  {ci, ...,  c^}  on  x.  The  output  is  c/-*  =  Cw(x ),  where  k*  £  {1 . . .  k}\ 
Cfc*  is  the  class  to  which  x  corresponds,  based  on  the  model  w.  For  ease  of  notation,  we  often  write  k*  instead  of  c.k  * , 
namely  k*  =  Cw(x). 

We  now  describe  how  three  popular  classifiers  work  on  regular,  unencrypted  data.  These  classifiers  differ  in  the 
model  w  and  the  function  Cw.  For  more  details,  we  refer  the  reader  to  [BN06]. 

Hyperplane  decision-based  classifiers.  For  this  classifier,  the  model  w  consists  of  k  vectors  in  Rd  (  w  =  {  iv,  }£_ , ). 
The  classifier  is  ( cf.  [BN06]): 

k*  =  argma  x(wi,x),  (1) 

where  (wi,x)  denotes  inner  product  between  Wi  and  x. 

We  now  explain  how  Eq.  (1)  captures  many  common  machine  learning  algorithms.  A  hyperplane  based  classifier 
typically  works  with  a  hypothesis  space  H  equipped  with  an  inner  product  (■,■).  This  classifier  usually  solves  a  binary 
classification  problem  (k  =  2):  given  a  user  input  x,  x  is  classified  in  class  Cn  if  (w,  4>(x))  >  0,  otherwise  it  is  labeled 
as  part  of  class  ci.  Here,  <t>  :  Rd  H  denotes  the  feature  mapping  from  Wl  to  Ti  [BN06].  In  this  work,  we  focus  on 
the  case  when  H  =M.d  and  note  that  a  large  class  of  infinite  dimensional  spaces  can  be  approximated  with  a  finite 
dimensional  space  (as  in  [RR07]),  including  the  popular  gaussian  kernel  (RBF).  In  this  case,  <f>(x)  =  x  or  </>(x)  =  Px 
for  a  randomized  projection  matrix  P  chosen  during  training.  Notice  that  Px  consists  solely  of  inner  products;  we  will 
show  how  to  support  private  evaluation  of  inner  products  later,  so  for  simplicity  we  drop  P  from  the  discussion.  To 
extend  such  a  classifier  from  2  classes  to  k  classes,  we  use  one  of  the  most  common  approaches,  one-versus-all,  where 
k  different  models  {wj}f=1  are  trained  to  discriminate  each  class  from  all  the  others.  The  decision  rule  is  then  given  by 
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X\  >  W 1 


X\  <  K)1 


Figure  2:  Decision  tree 


(cf  [BN06])  to  be  Eq.  (  ).  This  framework  is  general  enough  to  cover  many  common  algorithms,  such  as  support  vector 
machines  (SVMs),  logistic  regression,  and  least  squares. 

Naive  Bayes  classifiers.  For  this  classifier,  the  model  w  consists  of  various  probabilities:  the  probability  that  each 
class  Ci  occurs,  namely  {p(C  =  d)}j=1,  and  the  probabilities  that  an  element  Xj  of  x  occurs  in  a  certain  class  c».  More 
concretely,  the  latter  is  the  probability  of  the  j-th  component  x3  of  x  to  be  v  when  x  belongs  to  category  e, ;  this  is 
denoted  by  {{{p(Xj  =  v\C  =  ci)}„eZ3^  }^=1}*=1,  where  Dj  is  Xj’s  domain  .  The  classification  function,  using  a 
maximum  a  posteriori  decision  rule,  works  by  choosing  the  class  with  the  highest  posterior  probability: 

k*  =  argma  xp(C  =  Ci\X  =  x) 
ie[fc] 

=  argmaxp(C  =  d,X  =  x) 
ie[fc] 

=  argmaxp(C  =  ci;  X1  =  x\, . . . ,  Xd  =  xd ) 
ie[fc] 

where  the  second  equality  follows  from  applying  Bayes’  rule  (we  omitted  the  normalizing  factor  p(X  =  x)  because  it 
is  the  same  for  a  fixed  x). 

The  Naive  Bayes  model  assumes  that  p(C  =  c, ,  X  =  x)  has  the  following  factorization: 

p(C  =  Ci,X  i  =xi,...,Xd  =  xd) 

d 

=  p(C  =  d)  Y\_p(Xj  =  xj\C  =  Ci), 

3= 1 

namely,  each  of  the  d  features  are  conditionally  independent  given  the  class.  For  simplicity,  we  assume  that  the  domain 
of  the  features  values  (the  Xi  s)  is  discrete  and  finite,  so  the  p(Xj  =  Xj\C  =  Ci)’s  are  probability  masses. 

Decision  trees.  A  decision  tree  is  a  non-parametric  classifier  which  works  by  partitioning  the  feature  vector  space  one 
attribute  at  a  time;  interior  nodes  in  the  tree  correspond  to  partitioning  rules,  and  leaf  nodes  correspond  to  class  labels. 
A  feature  vector  x  is  classified  by  walking  the  tree  starting  from  the  root,  using  the  partitioning  rule  at  each  node  to 
decide  which  branch  to  take  until  a  leaf  node  is  encountered.  The  class  at  the  leaf  node  is  the  result  of  the  classification. 

Figure  2  gives  an  example  of  a  decision  tree.  The  model  consists  of  the  structure  of  the  tree  and  the  decision  criteria 
at  each  node  (in  this  case  the  thresholds  w i, . .  • ,  W4). 

-  Be  careful  to  distinguish  between  Xj,  the  probabilistic  random  variable  representing  the  values  taken  by  the  y-th  feature  of  user’s  input,  and  x:j , 
the  actual  value  taken  by  the  specific  vector  x. 
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3.2  Cryptographic  preliminaries 

3.2.1  Cryptosystems 

In  this  work,  we  use  three  additively  homomorphic  cryptosystems.  A  public-key  encryption  scheme  HE  is  additively 
homomorphic  if,  given  two  encrypted  messages  HE.Enc(a)  and  HE.Enc(&),  there  exists  a  public-key  operation  ® 
such  that  HE.Enc(a)  ®  HE.Enc(6)  is  an  encryption  of  a  +  b.  We  emphasize  that  these  are  homomorphic  only  for 
addition,  which  makes  them  efficient,  unlike  fully  homomorphic  encryption  [Gen09],  which  supports  any  function.  The 
cryptosystems  we  use  are: 

1.  the  QR  (Quadratic  Residuosity)  cryptosystem  of  Goldwasser-Micali  [GM82], 

2.  the  Paillier  cryptosystem  [Pai99],  and 

3.  a  leveled  fully  homomorphic  encryption  (FHE)  scheme,  HELib  [Hal  13] 

3.2.2  Cryptographic  assumptions 

We  prove  that  our  protocols  are  secure  based  on  the  semantic  security  [Gol04]  of  the  above  cryptosystems.  These 
cryptosytems  rely  on  standard  and  well-studied  computational  assumptions:  the  Quadratic  Residuosity  assumption,  the 
Decisional  Composite  Residuosity  assumption,  and  the  Ring  Learning  With  Error  (RLWE)  assumption. 

3.2.3  Adversarial  model 

We  prove  security  of  our  protocols  using  the  secure  two-party  computation  framework  for  passive  adversaries  (or  honest- 
but-curious  [Gol04])  defined  in  Appendix  B.l.To  explain  what  a  passive  adversary  is,  at  a  high  level,  consider  that  a 
party  called  party  A  is  compromised  by  such  an  adversary.  This  adversary  tries  to  learn  as  much  private  information 
about  the  input  of  the  other  party  by  watching  all  the  information  party  A  receives;  nevertheless,  this  adversary  cannot 
prevent  party  A  from  following  the  prescribed  protocol  faithfully  (hence,  it  is  not  an  active  adversary). 

To  enable  us  to  compose  various  protocols  into  a  bigger  protocol  securely,  we  invoke  modular  sequential  composition 
(see  Appendix  B.2). 

3.3  Notation 

All  our  protocols  are  between  two  parties:  parties  A  and  B  for  our  building  blocks  and  parties  C  (client)  and  S  (server) 
for  our  classifiers. 

Inputs  and  outputs  of  our  building  blocks  are  either  unencrypted  or  encrypted  with  an  additively  homomorphic 
encryption  scheme.  We  use  the  following  notation.  The  plaintext  space  of  QR  is  F2  (bits),  and  we  denote  by  \b]  a  bit  b 
encrypted  under  QR;  the  plaintext  space  of  Paillier  is  Z  N  where  N  is  the  public  modulus  of  Paillier,  and  we  denote  by 
[m]  an  integer  m  encrypted  under  Paillier.  The  plaintext  space  of  the  FHE  scheme  is  F2.  We  denote  by  SKp  and  PKp, 
a  secret  and  a  public  key  for  Paillier,  respectively.  Also,  we  denote  by  SKgp  and  PKgp,  a  secret  and  a  public  key  for 
QR. 

For  a  constant  b,  a  •<—  b  means  that  a  is  assigned  the  value  of  b.  For  a  distribution  T>,  a  <—  T)  means  that  a  gets  a 
sample  from  V. 

4  Building  blocks 

In  this  section,  we  develop  a  library  of  building  blocks,  which  we  later  use  to  build  our  classifiers.  We  designed  this 
library  to  also  enable  constructing  other  classifiers  than  the  ones  described  in  our  paper.  The  building  blocks  in  this 
section  combine  existing  techniques  with  either  new  techniques  or  new  optimizations. 
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Type 

Input  A 

Input  B 

Output  A 

Output  B 

Implementation 

1 

PKp,  PKqp,  a 

SKp,SKQp,  b 

[a  <  b] 

- 

Sec.  4.1.1 

2 

PKP,  SKqp,  [a],  lb} 

SKp.PKgp 

- 

[a  <  b] 

Sec.  4. 1.2 

3 

PKp,  SKqp,  [a],  lb} 

SKp.PKqp 

a  <  b 

[a  <  b } 

Sec.  4. 1.2 

4 

PKp,  PKgp,  [a],  [6] 

SKp.SKqp 

[a  <  b] 

- 

Sec.  4. 1.3 

5 

PKp,  PKQp,[a],  lb} 

SKp.SKqp 

[a  <  b } 

a  <  b 

Sec.  4.1.; 

Table  2:  The  API  of  our  comparison  protocol  and  its  implementation.  There  are  five  types  of  comparisons  each  having  a  different 
setup. 

4.1  Comparison 

We  now  describe  our  comparison  protocol.  In  order  for  this  protocol  to  be  used  in  a  wide  range  of  classifiers,  its  setup 
needs  to  be  flexible:  namely,  it  has  to  support  a  range  of  choices  regarding  which  party  gets  the  input,  which  party 
gets  the  output,  and  whether  the  input  or  output  are  encrypted  or  not.  Table  2  shows  the  various  ways  our  comparison 
protocol  can  be  used.  In  each  case,  each  party  learns  nothing  else  about  the  other  party’s  input  other  than  what  Table  2 
indicates  as  the  output. 

We  implemented  each  row  of  Table  2  by  modifying  existing  protocols.  We  explain  only  the  modifications  here,  and 
defer  full  protocol  descriptions  to  Appendix  A  and  proofs  of  security  to  Appendix  C.l. 

There  are  at  least  two  approaches  to  performing  comparison  efficiently:  using  specialized  homomorphic 
encryption  [DGK07,  DGK09,  EFG+09,  Veull],  or  using  garbled  circuits  [BHKR13].  We  compared  empirically 
the  performance  of  these  approaches  and  concluded  that  the  former  is  more  efficient  for  comparison  of  encrypted  values, 
and  the  second  is  more  efficient  for  comparison  of  unencrypted  values. 

4.1.1  Comparison  with  unencrypted  inputs  (Row  1) 

To  compare  unencrypted  inputs,  we  use  garbled  circuits  implemented  with  the  state-of-the-art  garbling  scheme  of 
Bellare  et  al.  [BHKR13],  the  short  circuit  for  comparison  of  Kolesnikov  et  al.  [KSS09]  and  a  well-known  oblivious 
transfer  (OT)  scheme  due  to  Naor  and  Pinkas  [NP01].  Since  most  of  our  other  building  blocks  expect  inputs  encrypted 
with  homomorphic  encryption,  one  also  needs  to  convert  from  a  garbled  output  to  homomorphic  encryption  to  enable 
composition.  We  can  implement  this  easily  using  the  random  shares  technique  in  [KSS13], 

The  above  techniques  combined  give  us  the  desired  comparison  protocol.  Actually,  we  can  directly  combine  them 
to  build  an  even  more  efficient  protocol:  we  use  an  enhanced  comparison  circuit  that  also  takes  as  input  a  masking  bit. 
Using  a  garbled  circuit  and  oblivious  transfer,  A  will  compute  (a  <  b)  ®  c  where  c  is  a  bit  randomly  chosen  by  B.  B 
will  also  provide  an  encryption  [c]  of  c,  enabling  A  to  compute  [a  <  b]  using  the  homomorphic  properties  of  QR. 

4.1.2  Comparison  with  encrypted  inputs  (Rows  2,  3) 

Our  classifiers  also  require  the  ability  to  compare  two  encrypted  inputs.  More  specifically,  suppose  that  party  A  wants 
to  compare  two  encrypted  integers  a  and  b,  but  party  B  holds  the  decryption  key.  To  implement  this  task,  we  slightly 
modify  Veugen’s  [Veull]  protocol:  it  uses  a  comparison  with  unencrypted  inputs  protocol  as  a  sub-procedure,  and  we 
replaced  it  with  the  comparison  protocol  we  just  described  above.  This  yields  a  protocol  for  the  setup  in  Row  2.  To 
ensure  that  A  receives  the  plaintext  output  as  in  Row  3,  B  sends  the  encrypted  result  to  A  who  decrypts  it.  Appendix  A 
provides  the  detailed  protocol. 

4.1.3  Reversed  comparison  over  encrypted  data  (Row  4, 5) 

In  some  cases,  we  want  the  result  of  the  comparison  to  be  held  by  the  party  that  does  not  hold  the  encrypted  data.  For 
this,  we  modify  Veugen’s  protocol  to  reverse  the  outputs  of  party  A  and  party  B:  we  achieve  this  by  exchanging  the  role 
of  party  A  and  party  B  in  the  last  few  steps  of  the  protocol,  after  invoking  the  comparison  protocol  with  unencrypted 
inputs.  We  do  not  present  the  details  in  the  paper  body  because  they  are  not  insightful,  and  instead  include  them  in 
Appendix  A. 
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This  results  in  a  protocol  whose  specification  is  in  Row  4.  To  obtain  Row  5,  A  sends  the  encrypted  result  to  B  who 
can  decrypt  it. 

4.1.4  Negative  integers  comparison  and  sign  determination 

Negative  numbers  are  handled  by  the  protocols  above  unchanged.  Even  though  the  Paillier  plaintext  size  is  “positive”,  a 
negative  number  simply  becomes  a  large  number  in  the  plaintext  space  due  to  cyclicity  of  the  space.  As  long  as  the 
values  encrypted  are  within  a  preset  interval  (— 2  ,  2f  )  for  some  fixed  l,  Veugen’s  protocol  and  the  above  protocols 
work  correctly. 

In  some  cases,  we  need  to  compute  the  sign  of  an  encrypted  integer  [6] .  In  this  case,  we  simply  compare  to  the 
encryption  of  0. 

4.2  argmax  over  encrypted  data 

In  this  scenario,  party  A  has  k  values  a±, . . . ,  encrypted  under  party  B’ s  secret  key  and  wants  party  B  to  know  the 
argmax  over  these  values  (the  index  of  the  largest  value),  but  neither  party  should  leam  anything  else.  For  example,  if 
A  has  values  [1],  [100]  and  [2],  B  should  learn  that  the  second  is  the  largest  value,  but  learn  nothing  else.  In  particular, 
B  should  not  learn  the  order  relations  between  the  a?;’s. 

Our  protocol  for  argmax  is  shown  in  Protocol  1 .  We  now  provide  intuition  into  the  protocol  and  its  security. 
Intuition.  Let’s  start  with  a  strawman.  To  prevent  B  from  learning  the  order  of  the  k  values  {a?}f=1,  A  applies  a 
random  permutation  n.  The  i-th  element  becomes  [o']  =  [a^)]  instead  of  [a*]. 

Now,  A  and  B  compare  the  first  two  values  [a]  fl  and  [«'2|  using  the  comparison  protocol  from  row  4  of  Table  2. 
B  learns  the  index,  to,  of  the  larger  value,  and  tells  A  to  compare  [«'m]  to  [a',]|  next.  After  iterating  in  this  manner 
through  all  the  k  values,  B  determines  the  index  to  of  the  largest  value.  A  can  then  compute  7 r_1(m)  which  represents 
the  argmax  in  the  original,  unpermuted  order. 

Since  A  applied  a  random  permutation  7 r,  B  does  not  leam  the  ordering  of  the  values.  The  problem,  though,  is  that 
A  learns  this  ordering  because,  at  every  iteration,  A  knows  the  value  of  to  up  to  that  step  and  7r.  One  way  to  fix  this 
problem  is  for  B  to  compare  every  pair  of  inputs  from  A,  but  this  would  result  in  a  quadratic  number  of  comparisons, 
which  is  too  slow. 

Instead,  our  protocol  preserves  the  linear  number  of  comparisons  from  above.  The  idea  is  that,  at  each  iteration, 
once  B  determines  which  is  the  maximum  of  the  two  values  compared,  B  should  randomize  the  encryption  of  this 
maximum  in  such  a  way  that  A  cannot  link  this  value  to  one  of  the  values  compared.  B  uses  the  Refresh  procedure  for 
the  randomization  of  Paillier  ciphertexts.  In  the  case  where  the  “refresher”  knows  the  secret  key,  this  can  be  seen  as  a 
decryption  followed  by  a  re-encryption.  If  not,  it  can  be  seen  as  a  multiplication  by  an  encryption  of  0. 

A  difficulty  is  that,  to  randomize  the  encryption  of  the  maximum  [a^J,  B  needs  to  get  this  encryption  -  however, 
B  must  not  receive  this  encryption  because  B  has  the  key  SKp  to  decrypt  it,  which  violates  privacy.  Instead,  the  idea  is 
for  A  itself  to  add  noise  r,  and  .s.,  to  [a'm| ,  so  decryption  at  B  yields  random  values,  then  B  refreshes  the  ciphertext, 
and  then  A  removes  the  randomness  r,;  and  sr  it  added. 

In  the  end,  our  protocol  performs  k  —  1  encrypted  comparisons  of  l  bits  integers  and  7 (k  —  1)  homomorphic 
operations  (refreshes,  multiplications  and  subtractions).  In  terms  of  round  trips,  we  add  k  —  1  roundtrips  to  the 
comparison  protocol,  one  roundtrip  per  loop  iteration. 

Proposition  4.1.  Protocol  1  is  correct  and  secure  in  the  honest-but-curious  model. 

Proof  intuition.  The  correctness  property  is  straightforward.  Let’s  argue  security.  A  does  not  learn  intermediary 
results  in  the  computation  because  of  the  security  of  the  comparison  protocol  and  because  she  gets  a  refreshed  ciphertext 
from  B  which  A  cannot  couple  to  a  previously  seen  ciphertext.  B  does  leam  the  result  of  each  comparison  -  however, 
since  A  applied  a  random  permutation  before  the  comparison,  B  learns  no  useful  information.  See  Appendix  C  for  a 
complete  proof. 
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Protocol  1  argmax  over  encrypted  data 

Input  A:  k  encrypted  integers  ([ai], . . . ,  [a*]),  the  bit  length  l  of  the 
Input  B:  Secret  keys  SKp  and  SKgp,  the  bit  length  l 

Output  A:  argmax^  a, 

ai,  and  public  keys  PKqp  and  PK/> 

1 

A:  chooses  a  random  permutation  7 r  over  [1 .....  A:  } 

2 

A:  [[max]  <-  fa^)] 

3 

B:  to  4—  1 

4 

for  i  =  2  to  k  do 

5 

Using  the  comparison  protocol  (Sec.  4.1.3),  B  gets  the  bit  bi  = 

(max  <  a„(i)) 

6 

A  picks  two  random  integers  rt.  Si  ■£-  (0, 2x+l)  D  Z 

7 

A:  M  <-  Imaxl  •  Ini 

>m'i  =  max  +  r* 

8 

A:  M  Kr(i)]  ■  M 

t>  dn r(^)  +  Si 

9 

A  sends  [to' ]  and  [a']  to  B 

10 

if  bi  is  true  then 

11 

B :  m  <—  i 

12 

B:  [uj]  x-  Refresh  [a'] 

>Vi  =  a'i 

13 

else 

14 

B:  [uj]  £-  Refresh  [to'] 

>  Vi  =  m'i 

15 

end  if 

16 

B  sends  to  A  [tij] 

17 

B  sends  to  A  [&,;] 

18 

A:  [max]  <-  [v,]  •  ( g _1  •  [6t])r-  •  [b,]"8- 

19 

>  max  =  Vi  +  (bi  -  1)  •  r»  -  bi  ■  U 

20 

end  for 

21 

B  sends  to  to  A 

22 

A  outputs  7t_1(to) 

4.3  Changing  the  encryption  scheme 

To  enable  us  to  compose  various  building  blocks,  we  developed  a  protocol  for  converting  ciphertexts  from  one  encryption 
scheme  to  another  while  maintaining  the  underlying  plaintexts.  We  first  present  a  protocol  that  switches  between  two 
encryption  schemes  with  the  same  plaintext  size  (such  as  QR  and  FHE  over  bits),  and  then  present  a  different  protocol 
for  switching  from  QR  to  Paillier. 

Concretely,  consider  two  additively  homomorphic  encryption  schemes  Ei  and  E2,  both  semantically  secure  with  the 
same  plaintext  space  M.  Let  [.]  1  be  an  encryption  using  Ei  and  [[.] 2  an  encryption  using  E2.  Consider  that  party  B  has 
the  secret  keys  SKi  and  SK2  for  both  schemes  and  A  has  the  corresponding  public  keys  PKi  and  PK2.  Party  A  also 
has  a  value  encrypted  with  PKi,  [c]i.  Our  protocol,  protocol  2,  enables  A  to  obtain  an  encryption  of  c  under  E2,  |c] 2 
without  revealing  anything  to  B  about  c. 

Protocol  intuition.  The  idea  is  for  A  to  add  a  random  noise  r  to  the  ciphertext  using  the  homomorphic  property  of 
Ei.  Then  B  decrypts  the  resulting  value  with  Ei  (obtaining  x  +  r  £  M)  and  encrypts  it  with  E2,  sends  the  result  to  A 
which  removes  the  randomness  r  using  the  homomorphic  property  of  i?2-  Even  though  B  was  able  to  decrypt  [c']i,  B 
obtains  x  +  r  £  M  which  hides  x  in  an  information-theoretic  way  (it  is  a  one-time  pad). 

Note  that,  for  some  schemes,  the  plaintext  space  M  depends  on  the  secret  keys.  In  this  case,  we  must  be  sure  that 
party  A  can  still  choose  uniformly  elements  of  M  without  knowing  it.  For  example,  for  Paillier,  M  =  h*N  ~  Z*  x  Z* 
where  p  and  q  are  the  private  primes.  However,  in  this  case,  A  can  sample  noise  in  Z  p  that  will  not  be  in  h*N  with 
negligible  probability  (1  —  ^)(1  —  i)  «  1  —  ~^=  (remember  N  is  large  -  1024  bits  in  our  instantiation). 

Proposition  4.2.  Protocol  2  is  secure  in  the  honest-but-curious  model. 

In  our  classifiers,  we  use  this  protocol  for  M  =  {0, 1}  and  the  encryption  schemes  are  QR  (for  EQ  and  an  FHE 
scheme  over  bits  (for  E2).  In  some  cases,  we  might  also  want  to  switch  from  QR  to  Paillier  (e.g.  reuse  the  encrypted 
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Protocol  2  Changing  the  encryption  scheme 
Input  A:  [c]i  and  public  keys  PKi  and  PK2 
Input  B:  Secret  keys  SKi  and  SK2 

Output  A:  [c]2 

1 :  A  uniformly  picks  r  ■£-  M 

2:  A  sends  [c']i  <-  [c]i  •  [r]i  to  B 

3:  B  decrypts  d  and  re -encrypts  with  E2 

4:  B  sends  [c'J  2  to  A 

5:  A:  [c]2  =  [c']2  •  M2  1 

6:  A  Outputs  |c]  2 


result  of  a  comparison  in  a  homomorphic  computation),  which  has  a  different  message  space.  Note  that  we  can  simulate 
the  homomorphic  XOR  operation  and  a  message  space  M  =  {0, 1}  with  Paillier:  we  can  easily  compute  the  encryption 
of  bi  ©  62  under  Paillier  when  at  most  one  of  the  bi  is  encrypted  (which  we  explain  in  the  next  subsection).  This  is  the 
case  in  our  setting  because  party  A  has  the  randomness  r  in  the  clear. 

4.3.1  XOR  with  Paillier. 

Suppose  a  party  gets  the  bit  b\  encrypted  under  Paillier’s  encryption  scheme,  and  that  this  party  only  has  the  public  key. 
This  party  knows  the  bit  62  in  the  clear  and  wants  to  compute  the  encryption  of  \b\  ©  62]. 

To  do  so,  we  just  have  to  notice  that 


b\  ffi  62 


b  1  if  62  =  0 

1  —  bi  if  62  =  1 


Hence,  it  is  very  easy  to  compute  an  encryption  of  b\  ffi  62  if  we  know  the  modulus  N  and  the  generator  g  (cf.  Paillier's 
scheme  construction): 

[M  if  h  =  0 

IfllM-1  m°d  N2  if  b2  =  1 

If  we  want  to  unveil  the  result  to  an  adversary  who  knows  the  original  encryption  of  bi  (but  not  the  secret  key),  we 
have  to  refresh  the  result  of  the  previous  function  to  ensure  semantic  security. 


4.4  Computing  dot  products 

For  completeness,  we  include  a  straightforward  algorithm  for  computing  dot  products  of  two  vectors,  which  relies  on 
Paillier’s  homomorphic  property. 


Protocol  3  Private  dot  product 

Input  A:  x  =  (x\, . . .  ,Xd)  £  public  key  PKp 

Input  B:  y  =  (yi, . . . ,  yd)  £  Zd,  secret  key  SKP 

Output  A:  [(*,  y)] 

1:  B  encrypts  1/1, . . . ,  yd  and  sends  the  encryptions  to  A 

2:  A  computes  [u]  =  m°d  N 2 

3:  A  re-randomizes  and  outputs  [i>] 

>v  =  J2  yiXi 

Proposition  4.3.  Protocol  3  is  secure  in  the  honest-but-curious  model. 
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4.5  Dealing  with  floating  point  numbers 

Although  all  our  protocols  manipulate  integers,  classifiers  usually  use  floating  point  numbers.  Hence,  when  developing 
classifiers  with  our  protocol  library,  we  must  adapt  our  protocols  accordingly. 

Fortunately,  most  of  the  operations  involved  are  either  additions  or  multiplications.  As  a  consequence,  a  simple 
solution  is  to  multiply  each  floating  point  value  by  a  constant  K  ( e.g .  K  =  252  for  IEEE  754  doubles)  and  thus  support 
finite  precision.  We  must  also  consider  the  bit  length  for  the  comparisons.  We  show  an  example  of  a  full  analysis  in 
Section  6  for  the  Naive  Bayes  classifier. 


5  Private  hyperplane  decision 

Recall  from  Section  3. 1  that  this  classifier  computes 

k*  =  argma x(wi,x). 

*e[fc] 

Now  that  we  constructed  our  library  of  building  blocks,  it  is  straightforward  to  implement  this  classifier  securely:  the 
client  computes  the  encryption  of  [(wp  cc)]  for  all  i  £  [k]  using  the  dot  product  protocol  and  then  applies  the  argmax 
protocol  (Protocol  1)  to  the  encrypted  dot  products. 


Protocol  4  Private  hyperplane  decision 

Client’s  (C)  Input:  x  =  (xi, . . . ,  Xd)  £  Zd,  public  keys  PKp  and  PKqp 
Server’s  (S)  Input:  {wi}^=1  where  Vi  £  [£:],  Wi  £  Z",  secret  keys  SKp  and  SKqp 
Client’s  Output:  argmax  (u;*,  a;) 

ie[k\ 

1:  for  i  =  1  to  k  do 

2:  C  and  S  run  Protocol  3  for  private  dot  product  where  C  is  party  A  with  input  x  and  S  is  party  B  with  input  w j. 

3:  C  gets  [uj]  the  result  of  the  protocol. 

>  Vi  <r-  ( X ,  Wi) 

4:  end  for 

5:  C  and  S  run  Protocol  I  for  argmax  where  C  is  the  A,  and  S  the  B,  and  [iq], . . . ,  the  input  ciphertexts.  C  gets 
the  result  i o  of  the  protocol. 

>  *o  <—  argmax  Vi 
ie[fe] 

6:  C  outputs  io 


Proposition  5.1.  Protocol  4  is  secure  in  the  honest-but-curious  model. 


6  Secure  Naive  Bayes  classifier 

Section  3  describes  the  Naive  Bayes  classifier.  The  goal  is  for  the  client  to  learn  k*  without  learning  anything  about 
the  probabilities  that  constitute  the  model,  and  the  server  should  learn  nothing  about  x.  Recall  that  the  features  values 
domain  is  discrete  and  finite. 

As  is  typically  done  for  numerical  stability  reasons,  we  work  with  the  logarithm  of  the  probability  distributions: 

k*  =  argmax  log p(C  =  Ci\X  =  x) 

<e[fc 1 

f  -  \ 

=  argmax  <  log p{C  =  d)  +  log p(Xj  =  Xj\C  =  c»)  >  (2) 

i£[fcl  I 
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6.1  Preparing  the  model 

Since  the  Paillier  encryption  scheme  works  with  integers,  we  convert  each  log  of  a  probability  from  above  to  an  integer 
by  multiplying  it  with  a  large  number  I\  (recall  that  the  plaintext  space  of  Paillier  is  large  «  2 1024  thus  allowing  for  a 
large  K),  thus  still  maintaining  high  accuracy.  The  issues  due  to  using  integers  for  bayesian  classification  have  been 
previously  studied  in  [TRMP12],  even  though  their  setting  was  even  more  restricting  than  ours.  However,  they  use  a 
similar  idea  to  ours:  shifting  the  probabilities  logarithms  and  use  fixed  point  representation. 

As  the  only  operations  used  in  the  classification  step  are  additions  and  comparisons  ( cf  Equation  (2)),  we  can  just 
multiply  the  conditional  probabilities  p{xj\cf)  by  a  constant  K  so  to  get  integers  everywhere,  while  keeping  the  same 
classification  result. 

For  example,  if  we  are  able  to  compute  the  conditional  probabilities  using  IEEE  754  double  precision  floating  point 
numbers,  with  52  bits  of  precision,  then  we  can  represent  every  probability  p  as 

p  =  m  ■  2e 

where  to  binary  representation  is  (771)2  =  1  -d  and  d  is  a  52  bits  integer.  Hence  we  have  1  <  m  <  2  and  we  can  rewrite 
to  as 

to  =  7^2  with  m'  €  N  n  [252,  253) 

We  are  using  this  representation  to  find  a  constant  K  such  that  K  ■  Vi  G  N  for  all  i.  As  seen  before,  we  can  write  the 

vf  s  as 

Vi  =  m'i  ■  2ei~52 

Let  e*  =  min,  e^,  and  Si  =  —  e*  >  0.  Then, 

Vi  =  m'i  ■  2Si  ■  2e*-52 

So  let  K  =  252-e  .  We  have  K  ■  vt  =  to'  ■  2Si  G  N.  An  important  thing  to  notice  is  that  the  vfs  can  be  very  large 
integers  (due  to  Sf),  and  this  might  cause  overflows  errors.  However,  remember  that  we  are  doing  all  this  to  store 
logarithms  of  probabilities  in  Paillier  cyphertexts,  and  as  Paillier  plaintext  space  is  very  large  (more  than  1024  bits  in 
our  setting)  and  Sfs  remain  small  .  Also  notice  that  this  shifting  procedure  can  be  done  without  any  loss  of  precision  as 
we  can  directly  work  with  the  bit  representation  of  the  floating  points  numbers. 

Finally,  we  must  also  ensure  that  we  do  not  overflow  Paillier’s  message  space  when  doing  all  the  operations 
(homomorphic  additions,  comparisons,  . . . ).  If  -  as  before  -  d  is  the  number  of  features,  the  maximum  number  of  bits 
when  doing  the  computations  will  be  lmax  =  d  +  1  +  (52  +  S*)  where  5*  =  max  St:  we  have  to  add  the  probabilities 
for  the  d  features  and  the  probability  of  the  class  label  (the  d  +  1  term),  and  each  probability  is  encoded  using  (52  +  5*) 
bits.  Hence,  the  value  l  used  for  the  comparison  protocols  must  be  chosen  larger  than  lmax- 

Hence,  we  must  ensure  that  log2  N  >  Imnl  +  1  +  A  where  A  is  the  security  parameter  and  N  is  the  modulus 
for  Paillier’s  cryptosystem  plaintext  space  (cf.  Section  4.1.2).  This  condition  is  easily  fulfilled  as,  for  a  good  level  of 
security,  we  have  to  take  log2  N  >  1024  and  we  usually  take  A  ~  100. 

Let  Dj  be  the  domain  of  possible  values  of  Xj  (the  j-th  attribute  of  the  feature  vector  x).  The  server  prepares  kd+1 
tables  as  part  of  the  model,  where  K  is  computed  as  described  just  before: 

•  One  table  for  the  priors  on  the  classes  P:  P(i )  =  \K  logp(C  =  c^)] . 

•  One  table  per  feature  j  per  class  i,  Tij :  Tij(v)  ~  \K  log p(Xj  =  v\C  =  c*)"| ,  for  all  v  G  Dj. 

The  tables  remain  small:  P  has  one  entry  by  category  i.e.  k  entries  total,  and  T  has  one  entry  by  category  and  feature 
value  i.e.  k  ■  D  entries  where  D  =  ^  \Dj\.  In  our  examples,  this  represents  less  than  3600  entries.  Moreover,  this 
preparation  step  can  be  done  once  and  for  all  at  server  startup,  and  is  hence  amortized. 

3If  the  biggest  <5;  is  10,  the  ratio  between  the  smallest  and  the  biggest  probability  is  of  order  22  =  21024  ... 
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6.2  Protocol 


Let  us  begin  with  some  intuition.  The  server  encrypts  each  entry  in  these  tables  with  Paillier  and  gives  the  resulting 
encryption  (the  encrypted  model)  to  the  client.  For  every  class  Cj,  the  client  uses  Paillier’s  additive  homomorphism  to 
compute  fpij  =  Finally,  the  client  runs  the  argmax  protocol,  Protocol  1 ,  to  get  argmax  For 

completeness,  the  protocol  is  shown  in  Protocol  5. 


Protocol  5  Naive  Bayes  Classifier 

Client’s  (C)  Input:  x  =  (xi, . . . ,  Xd)  £  Zd,  public  key  PKp,  secret  key  SKqp 

Server’s  (S)  Input:  The  secret  key  SKp.  public  key  PKqp  and  probability  tables  {logp(C  =  c,) } , <l<k  and 

j{l0gp(X,  =  v\C  =  Cj)}„SDj  J 

Client’s  Output:  io  such  that  p(x,  Ci0)  is  maximum 

1:  The  server  prepares  the  tables  P  and  {Titj}i<i<k,i<j<d,  and  encrypts  their  entries  using  Paillier. 

2:  The  server  sends  [P]  and  to  the  client. 

3:  For  all  1  <  i  <  k,  the  client  computes  [p^]  =  [P(i)J  II'jLiPiuO1'.;)]- 

4:  The  client  runs  the  argmax  protocol  (Protocol  1)  with  the  server  and  gets  io  =  argmax,  pi 

5:  C  outputs  io 


Proposition  6.1.  Protocol  5  is  secure  in  the  honest-but-curious  model. 

Proof  intuition.  Given  the  security  property  of  the  argmax  protocol,  Protocol  1 ,  and  the  semantic  security  of  the 
Paillier  cryptosystem,  the  security  of  this  classifier  follows  trivially,  by  invoking  a  modular  composition  theorem. 

Efficiency.  Note  that  the  tables  P  and  {T,j}-i<i<k-[<J<rj  can  be  prepared  in  advance.  Hence  the  cost  of  constructing 
the  tables  can  be  amortized  over  many  uses.  To  compute  the  encrypted  probabilities  p,  ’s,  the  client  runs  d  homomorphic 
operations  (here  multiplications)  for  each  i,  hence  doing  kd  modular  multiplications.  Then  the  parties  run  a  single 
argmax  protocol  i.e.  k  —  1  comparisons  and  O(k)  homomorphic  operations.  Thus,  compared  to  non-encrypted 
computation,  the  overhead  comes  only  from  the  use  of  homomorphic  encryption  operations  instead  of  plaintext 
operations.  Regarding  the  number  of  round  trips,  these  are  due  to  the  argmax  protocol:  k  —  1  runs  of  the  comparison 
protocol  and  k  —  1  additional  roundtrips. 

7  Private  decision  trees 

A  private  decision  tree  classifier  allows  the  server  to  traverse  a  binary  decision  tree  using  the  client’s  input  x  such  that 
the  server  does  not  learn  the  input  x,  and  the  client  does  not  learn  the  structure  of  the  tree  and  the  thresholds  at  each 
node.  A  challenge  is  that,  in  particular,  the  client  should  not  learn  the  path  in  the  tree  that  corresponds  to  x  -  the  position 
of  the  path  in  the  tree  and  the  length  of  the  path  leaks  information  about  the  model.  The  outcome  of  the  classification 
does  not  necessarily  leak  the  path  in  the  tree 

The  idea  is  to  express  the  decision  tree  as  a  polynomial  P  whose  output  is  the  result  of  the  classification,  the  class 
predicted  for  x.  Then,  the  server  and  the  client  privately  compute  inputs  to  this  polynomial  based  on  x  and  the  thresholds 
Wi .  Finally,  the  server  evaluates  the  polynomial  P  privately. 

7.1  Polynomial  form  of  a  decision  tree 

Consider  that  each  node  of  the  tree  has  a  boolean  variable  associated  to  it.  The  value  of  the  boolean  at  a  node  is  1  if,  on 
input  x,  one  should  follow  the  right  branch,  and  0  otherwise.  For  example,  denote  the  boolean  variable  at  the  root  of  the 
tree  by  b\.  The  value  of  h\  is  1  if  X\  <  w\  (recall  Figure  2),  and  0  otherwise. 

We  construct  a  polynomial  P  that,  on  input  all  these  boolean  variables  and  the  value  of  each  class  at  a  leaf 
node,  outputs  the  class  predicted  for  x.  The  idea  is  that  P  is  a  sum  of  terms,  where  each  term  (say  t)  corresponds 
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to  a  path  in  the  tree  from  root  to  a  leaf  node  (say  c).  A  term  t  evaluates  to  c  iff  x  is  classified  along  that  path 
in  T,  else  it  evaluates  to  zero.  Hence,  the  term  corresponding  to  a  path  in  the  tree  is  naturally  the  multiplication 
of  the  boolean  variables  on  that  path  and  the  class  at  the  leaf  node.  For  example,  for  the  tree  in  Figure  3,  P  is 

P(bllb2,b3lb4,c1, . . .  ,c5)  =  61(63  •  (64  •  c5  +  (1  -  64)  •  c4)  +  (1  -  63)  •  c3)  +(1  -  6i)(62  •  c2  +  (1  -  62)  ■  Ci). 


Figure  3:  Decision  tree  with  booleans 


We  now  present  T ,  a  recursive  procedure  for  constructing  P  given  a  binary  decision  tree  T: 


© 


If  T  consists  only  of  a  leaf  node  with  category  index  a,  JF(T)  =  Cj. 
If  T  is  empty,  return  P(T)  =  0. 


Otherwise,  T  has  an  internal  node  using  boolean  b  and  To  and  Ti  are  its 
left  and  right  subtrees.  Then  P(T)  =  b  ■  Jr(T1)  +  (1  —  6)  •  Jr(T0). 


7.2  Private  evaluation  of  a  polynomial 

Let  us  first  explain  how  to  compute  the  values  of  the  boolean  variables  securely.  Let  n  be  the  number  of  nodes  in  the 
tree  and  n leaves  be  the  number  of  leaves  in  the  tree.  These  values  must  remain  unknown  to  the  server  because  they 
leak  information  about  x :  they  are  the  result  of  the  intermediate  computations  of  the  classification  criterion.  For  each 
boolean  variable  bt,  the  server  and  the  client  engage  in  the  comparison  protocol  to  compare  w,  and  the  corresponding 
attribute  of  x.  As  a  result,  the  server  obtains  [6,;]  for  i  £  1 . . .  n;  the  server  then  changes  the  encryption  of  these  values 
to  FHE  using  Protocol  2,  thus  obtaining  |6,;|. 

The  server  evaluates  P  on  (I6J, . . . ,  |6nJ)  using  the  homomorphic  properties  of  FHE.  In  most  cases,  FHE 
evaluation  is  very  slow,  but  we  succeed  to  make  it  efficient  through  a  combination  of  techniques  we  now  discuss.  To 
understand  these  techniques,  recall  that  a  typical  FHE  evaluation  happens  over  a  circuit  whose  gates  are  modular 
addition  and  multiplication.  The  performance  of  FHE  depends  a  lot  on  the  depth  of  multiplications  in  this  circuit. 

First,  we  use  a  leveled  FHE  scheme:  a  scheme  that  supports  only  an  a  priori  fixed  multiplicative  depth  instead  of  an 
arbitrary  such  depth.  As  long  as  this  depth  is  small,  such  a  scheme  is  much  faster  than  a  full  FHE  scheme. 

Second,  we  ensure  that  the  multiplicative  depth  is  very  small  using  a  tree-based  evaluation.  If  hmax  is  the  maximum 
height  of  the  decision  tree,  then  P  has  a  term  ai  •  . . .  •  a/t[n;ix .  If  we  evaluate  this  term  naively  with  FHE,  we  multiply 
these  values  sequentially.  This  yields  a  multiplicative  depth  of  //max,  which  makes  FHE  slow  for  common  //max  values. 
Instead,  we  construct  a  binary  tree  over  these  values  and  multiply  them  in  pairs  based  on  the  structure  of  this  tree.  This 
results  in  a  multiplicative  depth  of  log2  /rmax  (e.g.,  4),  which  makes  FHE  evaluation  significantly  more  efficient. 
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Finally,  we  use  F2  as  the  plaintext  space  and  SIMD  slots  for  parallelism.  FHE  schemes  are  significantly  faster  when 
the  values  encrypted  are  bits  (namely,  in  F2);  however,  P  contains  classes  (e.g.,  ci)  which  are  usually  more  than  a  bit 
in  length.  To  enable  computing  P  over  F2,  we  represent  each  class  in  binary.  Let  l  =  \  log2  />;]  ( k  is  the  number  of 
classes)  be  the  number  of  bits  needed  to  represent  a  class.  We  evaluate  P  l  times,  once  for  each  of  the  l  bits  of  a  class. 
Concretely,  the  j-th  evaluation  of  P  takes  as  input  bi, ...  ,bn  and  for  each  leaf  node  Ci,  its  j-th  bit  c%j.  The  result  is 
P(bi, . . . ,  bn,  Cij,  C2j,  ■  ■  ■ ,  Cnieavesj),  which  represents  the  j-th  bit  of  the  outcome  class.  Hence,  we  need  to  run  the  FHE 
evaluation  l  times. 

To  avoid  this  factor  of  l,  the  idea  is  to  use  a  nice  feature  of  FHE  called  SIMD  slots  (as  described  in  [S  V 1 1]):  these 
allow  encrypting  multiple  bits  in  a  single  ciphertext  such  that  any  operation  applied  to  the  ciphertext  gets  applied  in 
parallel  to  each  of  the  bits.  Hence,  for  each  class  Cj,  the  server  creates  an  FHE  ciphertext  |cjo , . . . ,  Cjj_  i|.  For  each 
node  bi,  it  creates  an  FHE  ciphertext  |6j, . . . ,  6,  J  by  simply  repeating  the  bi  value  in  each  slot.  Then,  the  server  runs 
one  FILE  evaluation  of  P  over  all  these  ciphertexts  and  obtains  |c0o,  •  ■  ■ ,  c0z_i|  where  cQ  is  the  outcome  class.  Hence, 
instead  of  l  FHE  evaluations,  the  server  runs  the  evaluation  only  once.  This  results  in  a  performance  improvement  of 
log  k,  a  factor  of  2  and  more  in  our  experiments.  We  were  able  to  apply  SIMD  slots  parallelism  due  to  the  fortunate  fact 
that  the  same  polynomial  P  had  to  be  computed  for  each  slot. 

Finally,  evaluating  the  decision  tree  is  done  using  2 n  FHE  multiplications  and  2 n  FHE  additions  where  n  is  the 
number  of  criteria.  The  evaluation  circuit  has  multiplication  depth  [~log2(n)  +  1] . 

7.3  Formal  description 

Protocol  6  describes  the  resulting  protocol. 


Protocol  6  Decision  Tree  Classifier _ 

Client’s  (C)  Input:  x  =  (xi, . . . ,  xn)  £  Z”,  secret  keys  SK qr,  SK fhe 

Server’s  (S)  Input:  The  public  keys  PKq r,  PK fhe.  the  model  as  a  decision  tree,  including  the  n  thresholds  }"=1 . 

Client’s  Output:  The  value  of  the  leaf  of  the  decision  tree  associated  with  the  inputs  bi, ...  ,bn. 

1:  S  produces  an  n- variate  polynomial  P  as  described  in  section  7.1. 

2:  S  and  C  interact  in  the  comparison  protocol,  so  that  S  obtains  \b,}  for  i  £  [1 ...  n]  by  comparing  u:t  to  the 
corresponding  attribute  of  x. 

3:  Using  Protocol  2,  S  changes  the  encryption  from  QR  to  FHE  and  obtains  |&i|, . . . ,  |&nJ. 

4:  To  evaluate  P,  S  encrypts  the  bits  of  each  category  Ci  using  FHE  and  SIMD  slots,  obtaining 
|cji, . . . ,  Cj*|.  S  uses  SIMD  slots  to  compute  homomorphically  |P(6i, . . . ,  bn,  cio,  •  ■  • ,  cnieaveso),  •  ••, 
P(6i,  Ciz_i, cnieavesi-i)I-  It  rerandcmizes  the  resulting  ciphertext  using  FHE’s  rerandomization 

function,  and  sends  the  result  to  the  client. 

5:  C  decrypts  the  result  as  the  bit  vector  (no, . . . ,  Vi-\)  and  outputs  X^;=o  vt  '  2*. 


Proposition  7.1.  Protocol  6  is  secure  in  the  honest-but-curious  model. 

Proof  intuition.  The  proof  is  in  Appendix  C,  but  we  give  some  intuition  here.  During  the  comparison  protocol,  the 
server  only  learns  encrypted  bits,  so  it  learns  nothing  about  x.  During  FHE  evaluation,  it  similarly  learns  nothing  about 
the  input  due  to  the  security  of  FHE.  The  client  does  not  learn  the  structure  of  the  tree  because  the  server  performs  the 
evaluation  of  the  polynomial.  Similarly,  the  client  does  not  learn  the  bits  at  the  nodes  in  the  tree  because  of  the  security 
of  the  comparison  protocol. 

The  interactions  between  the  client  and  the  server  are  due  to  the  comparisons  almost  exclusively:  the  decision  tree 
evaluation  does  not  need  any  interaction  but  sending  the  encrypted  result  of  the  evaluation. 
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bool  Linear_Classif ier_Client : : run ( ) 

{ 

exchange_keys () ; 

//  values_  is  a  vector  of  integers 
//  compute  the  dot  product 

mpz_class  v  =  compute_dot_product (values_) ; 
mpz_class  w  =  1;  //  encryption  of  0 

//  compare  the  dot  product  with  0 

return  enc_comparison (v,  w,  bit_size_,  false); 


void  Linear_Classif ier_Server_session : : 
run_session ( ) 

{ 

exchange_keys () ; 

//  enc_model_  is  the  encrypted  model  vector 
//  compute  the  dot  product 

help_compute_dot_product (enc_model_,  true)  ; 

//  help  the  client  to  get 
//  the  sign  of  the  dot  product 
help_enc_comparison (bit_size_,  false) ; 


Figure  4:  Implementation  example:  a  linear  classifier 


Bit  size 

A  Computation 

B  Computation 

Total  Time 

Communication 

Interactions 

10 

14.11  ms 

8.39  ms 

105.5  ms 

4.60  kB 

3 

20 

18.29  ms 

14.1  ms 

1 17.5  ms 

8.82  kB 

3 

32 

22.9  ms 

18.8  ms 

122.6  ms 

13.89  kB 

3 

64 

34.7  ms 

32.6  ms 

134.5  ms 

27.38  kB 

3 

Table  3:  Comparison  with  unencrypted  input  protocols  evaluation. 


8  Combining  classifiers  with  AdaBoost 

AdaBoost  is  a  technique  introduced  in  [FS97].  The  idea  is  to  combine  a  set  of  weak  classifiers  hi{x)  :  i— >  {— 1,  +1} 

to  obtain  a  better  classifier.  The  AdaBoost  algorithm  chooses  t  scalars  {a,  }*=1  and  constructs  a  strong  classifier  as: 

/  * 

H(x)  =  sign  I  ajhj(x) 

\i= 1 

If  each  of  the  hi(-)’s  is  an  instance  of  a  classifier  supported  by  our  protocols,  then  given  the  scalars  a,;,  we  can  easily 
and  securely  evaluate  //  (x)  by  simply  composing  our  building  blocks.  First,  we  run  the  secure  protocols  for  each  of 
hi,  except  that  the  server  keeps  the  intermediate  result,  the  outcome  of  ht(x),  encrypted  using  one  of  our  comparison 
protocols  (Rows  2  or  4  of  Table  2).  Second,  if  necessary,  we  convert  them  to  Paillier’s  encryption  scheme  with  Protocol  2, 
and  combine  these  intermediate  results  using  Paillier’s  additive  homomorphic  property  as  in  the  dot  product  protocol 
Protocol  3.  Finally,  we  run  the  comparison  over  encrypted  data  algorithm  to  compare  the  result  so  far  with  zero,  so  that 
the  client  gets  the  final  result. 


9  Implementation 

We  have  implemented  the  protocols  and  the  classifiers  in  C++  using  GMP1,  Boost,  Google’s  Protocol  Buffers  ,  and 
HELib  [Hall 3]  for  the  FHE  implementation. 

The  code  is  written  in  a  modular  way:  all  the  elementary  protocols  defined  in  Section  4  can  be  used  as  black  boxes 
with  minimal  developer  effort.  Thus,  writing  secure  classifiers  comes  down  to  invoking  the  right  API  calls  to  the 
protocols.  For  example,  for  the  linear  classifier,  the  client  simply  calls  a  key  exchange  protocol  to  setup  the  various 
keys,  followed  by  the  dot  product  protocol,  and  then  the  comparison  of  encrypted  data  protocol  to  output  the  result,  as 
shown  in  Figure  4. 

4http : / /gmplib . org/ 

5https : / / code . google . com/p/protobuf / 
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Protocol 

Bit  size 

Comp 
Party  A 

station 

Party  B 

Total  Time 

Communication 

Interactions 

Comparison 

64 

45.34  ms 

43.78  ms 

190.9  ms 

27.91  kB 

6 

Reversed  Comp. 

64 

48.78  ms 

42.49  ms 

195.7  ms 

27.91  kB 

6 

Table  4:  Comparison  with  encrypted  input  protocols  evaluation. 


Party  A  Computation 

Party  B  Computation 

Total  Time 

Communication 

Interactions 

30.80  ms 

255.3  ms 

360.7  ms 

420.1  kB 

2 

Table  5:  Change  encryption  scheme  protocol  evaluation. 


10  Evaluation 

To  evaluate  our  work,  we  answer  the  following  questions:  (i)  can  our  building  blocks  be  used  to  construct  other 
classifiers  in  a  modular  way  (Section  0.1),  (ii)  what  is  the  performance  overhead  of  our  building  blocks  (Section  10.3), 
and  (iii)  what  is  the  performance  overhead  of  our  classifiers  (Section  10.4)? 


10.1  Using  our  building  blocks  library 

Here  we  demonstrate  that  our  building  blocks  library  can  be  used  to  build  other  classifiers  modularly  and  that  it  is 
a  useful  contribution  by  itself.  We  will  construct  a  multiplexer  and  a  face  detector.  A  face  detection  algorithm  over 
encrypted  data  already  exists  [AB06,  AB07],  so  our  construction  here  is  not  the  first  such  construction,  but  it  serves  as 
a  proof  of  functionality  for  our  library. 


10.1.1  Building  a  multiplexer  classifier 

A  multiplexer  is  the  following  generalized  comparison  function: 


fa,p(a,b) 


a  if  a  >  b 
P  otherwise 


We  can  express  ^  as  a  linear  combination  of  the  bit  d  =  (a  <  b): 

fa,p(d)  =  d  ■  p  +  (1  —  d)  ■  a  =  a  +  d  ■  (ft  —  a). 

To  implement  this  classifier  privately,  we  compute  [d]  by  comparing  a  and  b ,  keeping  the  result  encrypted  with  QR, 
and  then  changing  the  encryption  scheme  (cf.  Section  4.3)  to  Paillier. 

Then,  using  Paillier’s  homomorphism  and  knowledge  of  a  and  /3,  we  can  compute  an  encryption  of  fa,p(d): 

If  a  Ad)}  =  H  •  M^a- 


10.1.2  Viola  and  Jones  face  detection 

The  Viola  and  Jones  face  detection  algorithm  [VJ01]  is  a  particular  case  of  an  AdaBoost  classifier.  Denote  by  X  an 
image  represented  as  an  integer  vector  and  x  a  particular  detection  window  (a  subset  of  X ’s  coefficients).  The  strong 
classifier  H  for  this  particular  detection  window  is 


H(x)  =  sign 


ihi(x) 


where  the  ht  are  weak  classifiers  of  the  form  hi(x)  =  sign  ((x,  yp  —  Op  . 
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Data  set 

Model  size 

Comp 

Client 

nation 

Server 

Time  pt 
Compare 

;r  protocol 

Dot  product 

Total 

running  time 

Comm. 

Interactions 

Breast  cancer  (2) 

30 

46.4  ms 

43.8  ms 

194  ms 

9.67  ms 

204  ms 

35.84  kB 

7 

Credit  (3) 

47 

55.5  ms 

43.8  ms 

194  ms 

23.6  ms 

217  ms 

40.19  kB 

7 

(a)  Linear  Classifier.  Time  per  protocol  includes  communication. 


Data  set 

Spc 

C 

iCS. 

F 

Compt 

Client 

rtation 

Server 

Time  per  p 
Prob.  Comp. 

rotocol 

Argmax 

Total 

running  time 

Comm. 

Interactions 

Breast  Cancer  ( 1 ) 

2 

9 

150  ms 

104  ms 

82.9  ms 

396  ms 

479  ms 

72.47  kB 

14 

Nursery  (5) 

5 

9 

537  ms 

368  ms 

82.8  ms 

1332  ms 

1415  ms 

150.7  kB 

42 

Audiology  (4) 

24 

70 

1652  ms 

1664  ms 

431  ms 

3379  ms 

3810  ms 

1911  kB 

166 

(b)  Naive  Bayes  Classifier.  C  is  the  number  of  classes  and  F  is  the  number  of  features.  The  Prob.  Comp,  column  corresponds  to  the 
computation  of  the  probabilities  p(a  \x)  (cf.  Section  6).  Time  per  protocol  includes  communication. 


Data  set 

Tree 

N 

Specs. 

D 

Comp 

Client 

itation 

Server 

Time  pe 
Compare 

r  protocol 

ES  Change 

F 

Eval. 

HE 

Decrypt 

Comm. 

Interactions 

Nursery  (5) 

4 

4 

1579  ms 

798  ms 

446  ms 

1639  ms 

239  ms 

33.51  ms 

2639  kB 

30 

ECG  (6) 

6 

4 

2297  ms 

1723  ms 

1410  ms 

7406  ms 

899  ms 

35.1  ms 

3555  kB 

44 

(c)  Decision  Tree  Classifier.  ES  change  indicates  the  time  to  run  the  protocol  for  changing  encryption  schemes.  N  is  the  number  of 
nodes  of  the  tree  and  D  is  its  depth.  Time  per  protocol  includes  communication. 


Table  6:  Classifiers  evaluation. 


In  our  setting,  Alice  owns  the  image  and  Bob  the  classifier  (e.g.  the  vectors  { y, }  and  the  scalars  { 0, }  and  {a, }). 
Neither  of  them  wants  to  disclose  their  input  to  the  other  party.  Thanks  to  our  building  blocks,  Alice  can  run  Bob’s 
classifier  on  her  image  without  her  learning  anything  about  the  parameters  and  Bob  learning  any  information  about  her 
image. 

The  weak  classifiers  can  be  seen  as  multiplexers;  with  the  above  notation,  we  have  ht(x)  =  fi.-i({x,  yt )  —  9t). 
Using  the  elements  of  Section  10. 1 . 1,  we  can  easily  compute  the  encrypted  evaluation  of  every  one  of  these  weak 
classifiers  under  Paillier,  and  then,  as  described  in  Section  8,  compute  the  encryption  of  H(x). 

10.2  Performance  evaluation  setup 

Our  performance  evaluations  were  run  using  two  desktop  computers  each  with  identical  configuration:  two  Intel  Core 
i7  (64  bit)  processors  for  a  total  4  cores  running  at  2.66  GHz  and  8  GB  RAM.  Since  the  machines  were  on  the  same 
network,  we  inflated  the  roundtrip  time  for  a  packet  to  be  40  ms  to  mimic  real  network  latency.  We  used  1024-bit 
cryptographic  keys,  and  chose  the  statistical  security  parameter  A  to  be  100.  When  using  HELib,  we  use  80  bits  of 
security,  which  corresponds  to  a  1024-bit  asymmetric  key. 

10.3  Building  blocks  performance 

We  examine  performance  in  terms  of  computation  time  at  the  client  and  server,  communication  bandwidth,  and  also 
number  of  interactions  (round  trips).  We  can  see  that  all  these  protocols  are  efficient,  with  a  runtime  on  the  order  of 
milliseconds. 

10.3.1  Comparison  protocols 


Comparison  with  unencrypted  input.  Table  3  gives  the  running  time  of  the  comparison  protocol  with  unencrypted 
input  for  various  input  size. 
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Comparison  with  encrypted  input.  Table  4  presents  the  performance  of  the  comparison  with  encrypted  inputs 
protocols. 

10.3.2  argmax 

Figure  5  presents  the  running  times  and  the  communication  overhead  of  the  argmax  of  encrypted  data  protocol  (cfi 
Section  4.2).  The  input  integers  were  64  bit  integers. 


7000 
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Figure  5:  Argmax  of  encrypted  data  protocol  evaluation.  The  bars  represent  the  execution  of  the  protocol  when  the  comparisons  are 
executed  one  after  each  other,  linearly.  The  line  represents  the  execution  when  comparisons  are  executed  in  parallel,  tree-wise. 


10.3.3  Consequences  of  the  latency  on  performances 

It  is  worth  noticing  that  for  most  blocks,  most  of  the  running  time  is  spend  communicating:  the  network’s  latency  has  a 
huge  influence  on  the  performances  of  the  protocols  (running  time  almost  linear  in  the  latency  for  some  protocols).  To 
improve  the  performances  of  a  classifier  implemented  with  our  blocks,  we  might  want  to  run  several  instances  of  some 
building  blocks  in  parallel.  This  is  actually  what  we  did  with  the  tree-based  implementation  of  the  argmax  protocol, 
greatly  improving  the  performances  of  the  protocol  ( cf  Figure  5). 

10.4  Classifier  performance 

Here  we  evaluate  each  of  the  classifiers  described  in  Sections  5-7.  The  models  are  trained  non-privately  using 
scikit-learn  .  We  used  the  following  datasets  from  the  UCI  machine  learning  repository  [BL13]: 

1.  the  Wisconsin  Diagnostic  Breast  Cancer  data  set, 

2.  the  Wisconsin  Breast  Cancer  (Original)  data  set,  a  simplified  version  of  the  previous  dataset, 

3.  Credit  Approval  data  set, 

4.  Audiology  (Standardized)  data  set, 

5.  Nursery  data  set,  and 

6http : //scikit-learn . org 
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6.  ECG  (electrocardiogram)  classification  data  from  Barni  et  al.  [BFK  1  09] 

These  data  sets  are  scenarios  when  we  want  to  ensure  privacy  of  the  server’s  model  and  client’s  input. 

Based  on  the  suitability  of  each  classifier,  we  used  data  sets  2  and  3  to  test  the  hyperplane  decision  classifier,  sets  1, 
4  and  5  for  the  Naive  Bayes  classifier,  and  sets  5  and  6  for  the  decision  tree  classifier. 

Table  6  shows  the  performance  results.  Our  classifiers  run  in  at  most  a  few  seconds,  which  we  believe  to  be  practical 
for  sensitive  applications.  Note  that  even  if  the  datasets  become  very  large,  the  size  of  the  model  stays  the  same  -  the 
dataset  size  only  affects  the  training  phase  which  happens  on  unencrypted  data  before  one  uses  our  classifiers.  Hence, 
the  cost  of  our  classification  will  be  the  same  even  for  very  large  data  sets. 

For  the  decision  tree  classifier,  we  compared  our  construction  to  Barni  et  al.  [BFK+09]  on  the  ECG  dataset  (by 
turning  their  branching  program  into  a  decision  tree).  Their  performance  is  2609  ms  for  the  client  and  6260  ms  for  the 
server  with  communication  cost  of  112.2KB.  Even  though  their  evaluation  does  not  consider  the  communication  delays, 
we  are  still  more  than  three  times  as  fast  for  the  server  and  faster  for  the  client. 

10.5  Comparison  to  generic  two-party  tools 

A  set  of  generic  secure  two-  or  multi-party  computation  tools  have  been  developed,  such  as  TASTY  [HKS+10]  and 
Fairplay  [MNPS04,  BDNP08].  These  support  general  functions,  which  include  our  classifiers. 

However,  they  are  prohibitively  slow  for  our  specific  setting.  Our  efficiency  comes  from  specializing  to  classification 
functionality.  To  demonstrate  their  performance,  we  attempted  to  evaluate  the  Naive  Bayes  classifier  with  these.  We 
used  FairplayMP  to  generate  the  circuit  for  this  classifier  and  then  TASTY  to  run  the  private  computation  on  the  circuit 
thus  obtained.  We  tried  to  run  the  smallest  Naive  Bayes  instance,  the  Nursery  dataset  from  our  evaluation,  which  has 
only  3  possible  values  for  each  feature,  but  we  ran  out  of  memory  during  the  circuit  generation  phase  on  a  powerful 
machine  with  256GB  of  RAM. 

Hence,  we  had  to  reduce  the  classification  problem  to  only  3  classes  (versus  5).  Then,  the  circuit  generation  took 
more  than  2  hours  with  FairplayMP,  and  the  time  to  run  the  classification  with  TASTY  was  413196  msec  (with  no 
network  delay),  which  is  «  500  times  slower  than  our  performance  (on  the  non-reduced  classification  problem  with  5 
classes).  Thus,  our  specialized  protocols  improve  performance  by  orders  of  magnitude. 

11  Conclusion 

In  this  paper,  we  constructed  three  major  privacy-preserving  classifiers  as  well  as  provided  a  library  of  building  blocks 
that  enables  constructing  other  classifiers.  We  demonstrated  the  efficiency  of  our  classifiers  and  library  on  real  datasets. 
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7In  Barni  et  al.  [BFK+09],  the  evaluation  was  ran  over  two  3GHz  computers  directly  connected  via  Gigabit  Ethernet.  We  scaled  the  given  results 
by  to  get  a  better  comparison  basis. 
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A  Comparison  protocols 

A.l  Comparison  with  unencrypted  inputs 

Our  protocol  for  comparing  with  encrypted  inputs  is  Protocol  7  and  here  is  some  intuition.  We  follow  the  main  idea 
from  Veugen  [Veul  1]  (found  in  Section  2.1):  compute  2 1  +  b  —  a  (over  encrypted  data)  and  check  the  l  +  1-th  bit  (the 
bit  corresponding  to  the  power  2l).  If  it  is  1,  it  means  that  b>  a,  else  b  <  a. 

We  also  assume  that  the  encryption  scheme  is  additively  homomorphic.  In  [Veul  1]  (Section  2.1),  Veugen  presents  a 
solution  for  a  similar  problem  except  that  A  only  gets  the  encrypted  bit,  not  in  the  clear.  So  we  modify  his  protocol  in 
Protocol  7. 

In  the  description  of  protocol  7,  N  is  the  modulus  associated  with  Paillier’s  cryptosystem. 


Protocol  7  Comparing  encrypted  data 

Input  A:  [a]  and  [6],  the  bit  length  l  of  a  and  b,  the  secret  key  SKq^j,  public  key  PKp 
Input  B:Secret  key  SKp,  public  key  PKgp,  the  bit  length  l 

Output  A:  (a  <  b) 

1:  A:  [x]  <-  [6]  •  [2']  •  [a]-1  mod  N2 

2:  A  chooses  a  random  number  r  •<—  (0,  2x+l)  D  Z 

3:  A:  [z]  [x]  •  [r]  mod  N 2  >  Blind  x 

4:  A  sends  [z]  to  B 
5:  B  decrypts  [z] 

6:  A:  c  <—  r  mod  2l 
7:  B :  d<-  z  mod  2l 

8:  With  A,  B  privately  computes  the  encrypted  bit  [t1]  such  that  t  -  (d  <  c)  using  DGK 
9:  A  encrypts  77  and  sends  [77]  to  B 
10:  B  encrypts  zi 
11:  B:  [t]  [t']  ■  [zt]  ■  [n] 

12:  B:  sends  [t]  to  A 

13:  A  decrypts  and  outputs  t 


We  will  show  the  correctness  of  the  protocol  and  then  give  a  proof  of  security  in  the  honest-but-curious  model  using 
modular  composition.  For  the  correctness,  we  just  modify  the  proof  of  [Veul  1], 

Proposition  A.l.  Protocol  7  is  correct  and  secure  in  the  honest-but-curious  model. 

See  proof  in  Appendix  C. 

A.2  Reversed  encrypted  comparison 

We  constructed  Protocol  8  which  is  the  same  as  Protocol  7,  except  that  the  roles  of  A  and  B  are  exchanged  in  Steps  8-  13. 
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Proposition  A.2.  Protocol  8  is  secure  in  the  honest-but-curious  model. 
The  proof  is  in  Appendix  C. 


Protocol  8  Reversed  comparing  encrypted  data 
Input  A:  [a]  and  [6],  public  keys  PKq#  and  PKp 
Input  B:Secret  keys  SKp  and  SKqp 

Output  B:  (a  <  b ) 

Run  Steps  I  -  7  of  Protocol  7. 

8:  With  B,  A  privately  computes  the  encrypted  bit  [t'\  such  that  t!  =  [d  <  c)  using  DGK 
9:  B  encrypts  Zj  and  sends  {z{}  to  A 
10:  A  encrypts  r/ 

11:  A:  [t]  <-  [f']  •  N  •  [n] 

12:  A:  sends  [t]  to  B 

13:  B  decrypts  and  outputs  t 


B  Preliminaries  for  proofs 

B.l  Secure  two-party  computation  framework 

All  our  protocols  are  two-party  protocols,  which  we  label  as  party  A  and  party  B.  In  order  to  show  that  they  do  private 
computations,  we  work  in  the  honest-but-curious  (semi-honest)  model  as  described  in  [Gol04], 

Let  /  =  (f  a  ■  f  n)  be  a  (probabilistic)  polynomial  function  and  II  a  protocol  computing  /.  A  and  B  want  to 
compute  /(a,  b)  where  a  is  A’s  input  and  b  is  B’s  input,  using  II  and  with  the  security  parameter  A.  The  view  of 
party  A  during  the  execution  of  II  is  the  tuple  VA{ A,  a,  b)  =  (1A;  a;  rA ;  mA, . . . ,  mA)  where  r  is  A’s  random  tape 
and  rrif . . . . ,  mA  are  the  messages  received  by  A.  We  define  the  view  of  B  similarly.  We  also  define  the  outputs  of 
parties  A  and  B  for  the  execution  of  II  on  input  ( a.b )  as  Output^A,  a,  b)  and  Output^(A,  a ,  6),  and  the  global  output 
as  Outputn(A,  a,  b)  =  (Output5(A,  a,  6),  Output§(A,  a,  b)). 

To  ensure  security,  we  have  to  show  that  whatever  A  can  compute  from  its  interactions  with  B  can  be  computed 
from  its  input  and  output,  which  leads  us  to  the  following  security  definition. 

Definition  B.l.  The  two-party  protocol  II  securely  computes  the  function  f  if  there  exists  two  probabilistic  polynomial 
time  algorithms  Sa  and  SB  such  that  for  every  possible  input  a,  b  of  f, 

{SA(l\a,fA(a,b))J(a,b)}=c 

{Va(A,  a,  b ),  Outputn(A,  a,  b)} 

and 

{SB(r\a,  fB(a,  b)),  /(a,  6)}  =c 

{Vb(A,  a,  6),  Outputn(A,  a,  6)} 

where  =c  means  computational  indistinguishability  against  probabilistic  polynomial  time  adversaries  with  negligible 
advantage  in  the  security  parameter  A. 

To  simplify  the  notation  (and  the  proofs),  hereinafter  we  omit  the  security  parameter.  As  we  mostly  consider 
deterministic  functions  /,  we  can  simplify  the  distributions  we  want  to  show  being  indistinguishable  (see  [Gol04]): 
when  /  is  deterministic,  to  prove  the  security  of  II  that  computes  /,  we  only  have  to  show  that 

SA(a,  fA(a,  b))  =c  VA(a,  b) 

SB(b,fB(a,b))=cVB(a,b) 

Unless  written  explicitly,  we  will  always  prove  security  using  this  simplified  definition. 
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B.2  Modular  Sequential  Composition 

In  order  to  ease  the  proofs  of  security,  we  use  sequential  modular  composition,  as  defined  in  [Can98].  The  idea  is 
that  the  parties  run  a  protocol  II  and  use  calls  to  an  ideal  functionality  /  in  II  (e.g.  A  and  B  compute  f  privately  by 
sending  their  inputs  to  a  trusted  third  party  and  receiving  the  result).  If  we  can  show  that  II  respects  privacy  in  the 
honest-but-curious  model  and  if  we  have  a  protocol  p  that  privately  computes  /  in  the  same  model,  then  we  can  replace 
the  ideal  calls  for  /  by  the  execution  of  p  in  II;  the  new  protocol,  denoted  IIP  is  then  secure  in  the  honest-but-curious 
model. 

We  call  hybrid  model  with  ideal  access  to  f\, . . . ,  fm  or  (/i, . . . ,  fm)-hybrid  model  the  semi-honest  model 
augmented  with  an  incorruptible  trusted  party  T  for  evaluating  functionalities  f\, ... ,  frn .  The  parties  run  a  protocol  II 
that  contain  calls  to  T  for  the  evaluation  of  one  of  fi, . . . ,  fm.  For  each  call,  each  party  sends  its  input  and  wait  until 
the  trusted  party  sends  the  output  back.  We  emphasize  on  the  fact  that  the  parties  must  not  communicate  until  receiving 
T’s  output  (we  consider  only  sequential  composition).  Ideal  calls  to  the  trusted  party  can  be  done  several  times,  even 
for  the  same  function,  but  each  call  is  independent:  T  does  not  maintain  state  between  two  calls. 

Let  II  be  a  two-party  protocol  in  the  (/i, . . . ,  /m)-hybrid  model.  Let  pi, . . . ,  pm  be  real  protocols  ( i.e .  protocols  in 
the  semi-honest  model)  computing  and  define  IP1’  ",Pm  as  follows.  All  ideals  calls  of  II  to  the  trusted  party 

for  fi  is  replaced  by  a  real  execution  of  pp  if  party  Pj  has  to  compute  /,;  with  input  Xj,  Pj  halts,  starts  an  execution  of 
Pi  with  the  other  parties,  gets  the  result  (3j  when  (>,  concludes,  and  continues  as  if  f3j  was  received  from  T. 

Theorem  B.2.  [Can98]  (Theorem  5)  restated  as  in  [LP08]  (Theorem  3)  -  Let  frn  be  two-party  probabilistic 

polynomial  time  functionalities  and  pi, ,  pm  protocols  that  compute  respectively  f\, ... .  fm  in  the  presence  of 
semi-honest  adversaries. 

Let  g  be  a  two-party  probabilistic  polynomial  time  functionality  and  II  a  protocol  that  securely  computes  g  in  the 
(/i, . . . ,  fm)-hybrid  model  in  the  presence  of  semi-honest  adversaries. 

Then  nPl,',pm  securely  computes  g  in  the  presence  of  semi-honest  adversaries. 

B.3  Cryptographic  assumptions 

Assumption  1.  (Quadratic  Residuosity  Assumption  -  from  [GM82])  Let  N  =  p  x  q  be  the  product  of  two  distinct  odd 
primes  p  and  q.  Let  QRjv  be  the  set  of  quadratic  residues  modulo  N  and  QNKW  be  the  set  of  quadratic  non  residues 
(i.e.  x  £  QNRjv  if  x  is  not  a  square  modulo  N  and  its  Jacobi  symbol  is  1). 

{(N,Q Rjv)  :  |Af|  =  A}  and  {(N,QNM.n)  :  |(V|  =  A}  are  computationally  indistinguishable  with  respect  to 
probabilistic  polynomial  time  algorithms. 

Assumption  2.  (Decisional  Composite  Residuosity  Assumption  -  from  [Pai99])  Let  N  -  p  x  q.  iV  =  A  be  the 
product  of  two  distinct  odd  primes  p  and  q.  A  number  z  is  said  to  be  a  N-th  residue  modulo  N 2  if  there  exists  a  number 

y  £  ZN2 

z  —  yN  mod  N 2 

N-th  residues  are  computationally  indistinguishable  from  non  N-th  residues  with  respect  to  probabilistic  polynomial 
time  algorithms. 

For  further  explanations  about  the  last  assumption,  used  for  the  FHE  scheme,  we  refer  the  reader  to  [BGV12], 

Assumption  3.  (RLWE)  For  security  parameter  A,  let  f{x)  =  xd  +  1  where  d  is  a  power  of  2.  Let  q  >  2  be  an  integer. 
Let  R  =  7j[x]/ (f(x))  and  let  Rq  =  R/qR.  Let  \  be  a  distribution  over  R.  The  RLWE^  q  x  problem  is  to  distinguish 
between  two  distributions:  In  the  first  distribution,  one  samples  ( a,; ,  bf)  uniformly  from  Rq.  In  the  second  distribution, 
one  first  draws  s  <r-  Rq  uniformly  and  then  samples  ( eq ,  bf)  £  R q  by  sampling  ai  Rq  uniformly,  ■£-  x>  and  setting 
bi  —  Ctj.S  — f-  di. 

The  R\N\IEd,q,x  assumption  is  that  the  RLWE^  q  x  problem  is  infeasible. 
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C  Proofs 

C.l  Comparison  protocols 

Proof  of  Proposition  A.  1 .  Correctness  As  a  and  b  are  l  bits  integers,  x  =  2l  +  b  —  a  is  a  Z  +  1  bits  integer  and  its  most 
significant  bit  (the  l  +  1-th  bit)  is  1  iff  a  <  b.  What  protocol  7  actually  does  is  computing  this  bit.  The  computations  are 
done  over  encrypted  data,  using  Paillier’s  encryption  scheme.  In  the  rest  of  the  proof,  we  will  do  as  if  the  data  were  not 
encrypted  under  Paillier.  The  correctness  will  hold  as  long  as  we  do  not  experience  carry-overs  modulo  N.  In  particular, 
this  implies  that  l  +  1  +  A  <  log2  N.  For  operations  over  bits  using  QR,  we  don’t  have  this  problem  as  we  are  operating 
on  F2. 

Again,  since  x  is  a  l  +  1  bit  number,  its  most  significant  bit  is  x  4-  2l  where  4-  denotes  the  integer  division.  We  have 
x  =  2l{x  4-  2l)  +  (x  mod  2l)  where  0  <  (x  mod  2l)  <  2l.  As  z  =  x  +  r, 

z  =  2 \z  4-  2l )  +  {z  mod  2l ) 

=  2l{{x  4-  2l)  +  (r  4-  21))  +  ((x  mod  2l)  +  (r  mod  21)) 

Hence,  z  4-  2l  =  x  4-  2l  +  r  4-  2l  if  (x  mod  2l)  +  ( r  mod  2l )  <  2l  and  z  4-  2l  =  (x  4-  2l)  +  (r  4-  2l )  +  1  otherwise. 
More  generally,  2  4-  2l  =  (x  4  2l)  +  (r  4-  2l)  +  t'  where  t'  =  0  44  (x  mod  2 l)  +  (r  mod  2l)  <  2l . 

We  can  also  notice  that,  if  t'  =  0,  z  mod  2l  =  (x  mod  2l)  +  ( r  mod  2l)  and  z  mod  2l  =  (x  mod  2l)  +  (r  mod 
2l )  —  2}  otherwise.  As  a  consequence. 


t'  =  0  44  z  mod  2l  =  (x  mod  2l )  +  (r  mod  2l) 
<t=>  2  mod  2l  >  (r  mod  2l) 

In  the  end,  as  x  4-  2l  is  either  0  or  1,  we  can  compute  everything  modulo  2 

x  4-  2l  =  (z  4-  2l)  —  (r  4-  2l)  —  t'  mod  2 
=  zi  ®  n  ®  f 


Security  We  suppose  that  the  encrypted  bit  \t']  is  ideally  computed  (using  calls  to  a  trusted  party  in  the  hybrid  model). 
We  show  that  the  protocol  is  secure  in  this  model  and  conclude  using  the  sequential  modular  composition  theorem. 

A’s  view  is  Va  =  ([a],  [6],  l,  SK qr,  PKp;  r,  coins;  [t])  where  SKq#  is  the  secret  key  for  the  QR  cryptosystem, 
PKp  is  the  public  key  for  Paillier’s  cryptosystem,  and  coins  are  the  random  coins  used  for  the  encryptions  of  2l,  r  and 
rh  Given  ([a],  [6],  l,  SKQR,  PKP,  a  <  b),  we  build  the  simulator  Sa- 

1.  Compute  [f]  an  encryption  of  the  bit  (a  <  b)  under  QR. 

2.  Pick  r  4-  (0,2A+z)nZ. 

3.  Let  coins  be  random  coins  for  two  Paillier  encryptions  and  one  QR  encryption. 

4.  Output  ([a],  [&],(,  SKqp,  PKp;  r,  coins;  [f]) 

The  distributions  Va([o],  [6],  Z,  SKqp,  PKgp,  SKp,  PKp)  and  5a ([a],  [6],  SKqP,  PKp,  a  <  b)  are  exactly  the  same 
because  the  randomness  is  taken  from  the  same  distribution  in  both  cases,  and  the  QR  cyphertext  encrypts  the  same  bit. 

B’s  view  is  Vb  =  (PKqp,  SKp,  l,  [2];  coins;  [t']:  [r;])  where  coins  are  the  random  coins  used  for  the  encryption  of 
Zi .  The  simulator  5p(PKgp,  SKp,  l)  runs  as  follows: 

1.  Pick  z<-  (0,2x+l)nZ. 

2.  Encrypt  z  under  Paillier:  pi], 

3.  Generate  [t/]  and  [f;],  two  encryptions  of  random  bits  under  QR 

4.  Let  coins  be  random  coins  for  one  QR  encryption. 

5.  Output  (PKqp,  SKp,  Z,  p];  coins;  [t1],  [f;]) 
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The  random  tapes  coins  and  coins  are  generated  in  the  exact  same  manner  and  independently  from  any  other 
parameter,  so 

(PKqp,  SKp,  [5];  coins;  [t'][n]) 

=  (PKqp,  SKp,  p];  coins;  [t'][fi]) 

Recall  that  z  =  x  +  r  mod  N  where  x  is  an  /  bits  integer  and  r  is  an  l  +  A  bits  integer.  But  as  we  chose 
l  +  1  -f  A  <  log2  N,  we  have  z  =  x  +  r.  The  distribution  of  z  is  statistically  indistinguishable  from  the  distribution  of 
^  (the  distributions  are  distinguishable  with  an  advantage  of  2~x  at  most). 

We  also  directly  have  that  (SKp,  [5])  =s  (SKp,  [z] )  and  as  a  consequence,  as  the  distribution  of  z  and  z  is 
independent  from  t'  and  f/, 

(PKqp,  SKp,  p];  coins;  [?],  [f/]) 

=a  (PKqp,  SKp,  p];  coins;  [?],  [n]) 

By  semantic  security  of  QR, 

(PKqp,  SKp,/,  p];  coins;  [F],  [n]) 

=C  (PKqp,  SKp,/,  p];  coins;  [t'],  [n]) 

and 

SB(PKQRl5Kp,l) 

=C  Vb(M,  [6],  /,  SKqp,  PKqp,  SKp,  PKp) 

We  conclude  the  proof  of  security  using  modular  sequential  composition.  We  replace  the  ideal  calls  for  computing 
the  encrypted  bit  [t']  by  the  provable  secure  DGK  protocol  and  invoke  Theorem  B.2  to  prove  security  in  the  semi-honest 
model.  □ 

Proof  of  Proposition  A.2.  The  proof  of  security  is  similar  to  the  one  of  Proposition  A.  .  Again  we  first  suppose  that  [t1] 
is  ideally  computed  (hybrid  model). 

A’s  view  is  Va  =  ([a],  [6],  /,  PKqp,  PKp;  r,  coins;  [/'],  [z{\)  where  PKqp  is  the  public  key  for  the  QR  cryptosystem, 
PKp  is  the  public  key  for  Paillier’s  cryptosystem  and  coins  is  the  random  tape  used  for  the  Paillier  encryptions  of  r  and 
2l,  and  the  QR  encryption  of  77 . 

Given  ([a],  [6],  PKqp,  PKp),  we  build  the  simulator  Sa- 

1.  Pick  f  (0,2A+i)nZ. 

2.  Generate  \t']  and  [27],  two  encryptions  of  random  bits  under  QR 

3.  Let  coins  be  random  coins  for  two  Paillier  encryptions  and  one  QR  encryption. 

4.  Output  ([a],  [6],  /,  PKqp,  PKp;  f ,  coins;  [zL]) 

For  both  cases  (A’s  view  and  the  simulator  Sa),  r  and  f  are  taken  from  the  same  uniform  distribution  over 
(0,  2a+!)  D  Z,  and  coins  and  coins  are  random  tapes  of  the  same  length,  so 

SaM,  [6],  PKqp,  PKp) 

=  (H,  [&],/,  PKqp,  PKp;  r,  coins;  [z{\) 

By  semantic  security  of  the  QR  cryptosystem,  we  conclude  with  the  computational  indistinguishability  of  Sa  and  Va 
distributions: 

SaM,  [6],  PKqp,  PKp) 

=  (H,  I PKqp,  PKp;  r,  coins;  [zi]) 

=C  (H,  m,h  PKqp,  PKp;  r,  coins;  [z,]) 

=  VA( [a],  [6],  /,  SKqp,  PKqp,  SKp,  PKp) 
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B’s  view  is  Vb  =  (SKgp,  SKp,  [z],  [t];  coins)  where  SKgp  is  the  secret  key  for  the  QR  cryptosystem,  SK p  is 
the  secret  key  for  Paillier’s  cryptosystem,  and  coins  are  the  random  coins  necessary  for  the  QR  encryption  of  z/.  The 
simulator  Sp(SKgp,  SKp,  a  <  b)  runs  as  follows: 

1 .  Compute  [t]  an  encryption  of  the  bit  (a  <  b)  under  QR. 

2.  Pick  z  <—  (0,  2x+l)  (T  Z. 

3.  Encrypt  5  under  Paillier:  [z], 

4.  Let  coins  be  random  coins  for  one  QR  encryption. 

5.  Output  (SKgp,  SKp,  l,  [z],  [t\;  coins) 

Once  again,  the  distributions  of  coins  and  coins  are  identical: 

(SKgp,SKP)f,  [z],  [f];  coins) 

=  (SKgp,  SKp,  l,  [z],  [f];  coins) 

Recall  that  z  =  x  +  r  where  x  is  an  l  bits  integer  and  r  is  an  l  +  A  bits  integer.  The  distribution  of  z  is  statistically 
indistinguishable  from  the  distribution  of  z.  We  also  directly  have  that  (SKp,  [z])  =s  (SKp,  [z])  and  as  a  consequence, 
as  the  distribution  of  z  and  z  is  independent  from  t' , 

(SKgp,  SKp,  l,  [z],  [t] ;  coins) 

=s  (SKgp,  SKp,  l,  [z],  [t];  coins) 

Moreover,  by  construction,  (SKgp,  [i])  =  (SKgp,  [a  <  6])  and 

(SKgp,  SKp,  l,  [z],  [f];  coins) 

=  (SKgp,  SKp,  l,  [z],  [a  <  p];  coins). 


Finally,  we  have 

Ss (SKgp,  SKp,  a  <  b) 

=S  Vs(H,  SKgp,  PKgp,  SKp,  PKP). 

Again,  we  conclude  the  proof  of  security  using  modular  sequential  composition.  We  replace  the  ideal  calls  for 
computing  the  encrypted  bit  [£']  by  the  provable  secure  DGK  protocol  and  invoke  Theorem  B.2  to  prove  security  in  the 
semi-honest  model.  □ 

C.1.1  Argmax 

Proof  of  Proposition  4.1.  Correctness  To  prove  correctness,  we  have  to  show  that  the  following  invariant  holds:  at 
the  end  of  the  loop  for  iteration  i ,  m  is  the  maximum  of  {a>n(j)}i<j<i  an(J  o-K(i0)  =  m- 

If  this  holds,  at  the  end  of  the  loop  iterations  a7r!',;0j  is  the  maximum  of  {«_(,  , }  i  <-t<k  =  { a:l  }  i  <3<k,  hence 
io  =  argmax^  an^'j  and  7r_1(*o)  =  argmax^-  aj. 

At  initialization  (line  4),  the  invariant  trivially  holds  as  the  family  {a-jr(j)}i<j<i  contains  only  one  element. 
Suppose  the  property  is  true  for  iteration  i  —  1.  Let  us  distinguish  two  cases: 

•  If  hi  is  true  (i.e.  m  <  aT(^),  <  a^),  as  the  invariant  holds  for  the  previous  iteration,  and  then 

Then  *o  is  set  to  i,  Vi  =  a\  and  bi  =  1.  As  a  consequence,  m  is  set  by  A  to 

G  “t“  {fi  1 ) -Ti  bi-Si  Si 

We  have  clearly  that  a T(io)  =  =  m  and  m  =  maxla^gjli^jxj,  the  invariant  holds  at  the  end  of  the  i-th 

iteration  in  this  case. 
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•  If  bi  is  false  (to  >  aw(i)),  maxla^j-i^xi-i  >  aT(,)  and  max{awy)}i<j<i  =  max{aT(j)}i<j<i_i  =  to. 

Then  i0  is  not  changed,  Vj  is  set  to  m'  and  bi  =  0.  As  a  consequence, 

Vi  +  (bi  -  1  ).r*  -  hj.Sj  =  to'  —n  =  m 

to  is  unchanged.  As  both  m  and  stayed  the  same  and  max{a,r(j)}i<j<i  =  max{a7r(:))}i<J<j_i,  the  invariant 
holds  at  the  end  of  the  v-th  iteration  in  this  case. 

Security  We  prove  security  in  the  hybrid  model  where  line  5  of  the  protocol  is  ideally  executed:  we  ask  a  trusted  party 
T  to  compute  the  function  /([a;],  [t/] ,  Z ,  SK qp,  PK qp,  SKp,  PKp)  in  the  /-hybrid  model  where 

/([*],  [yy,  SKqp,  PKqp,  SKp,  PKp) 

=  (Ja(x^  y,  l,  SKgp,  PKqp,  SKp,  PKp); 

Mlxl  hll,  SKgp,  PKqp, SKp,  PKP)) 

and  /  computes  the  function  of  Protocol  8,  i.e.  f  a  returns  nothing  and  //.;  returns  the  bit  x  <  y. 

We  will  conclude  using  Theorem  B.2. 

A’s  view  is 

Vk=({M}i=i.i.PKgfl,PKp; 

7ri{’’i}?=2){«i}i:=2)coins; 

{ [wl}i=2 -  {  M  }i= 2 ,  7r(argmax  a*)) 

i 

where  coins  is  the  random  tape  for  encryptions.  To  simulate  A’s  real  view,  the  simulator  Sa  does  the  following  on  input 
([ail,  ■  •  ■ )  PKqp,  PKp.argma^  a»): 

1.  Picks  a  random  permutation  n  of  [  \ ....  .  k  ) 

2.  Picks  k  —  1  random  integers  fa, ... ,  1/  in  (0,  2/+A  D  Z 

3.  Picks  k  —  1  random  integers  §2, . . . ,  s*.  in  (0,  2)/+A  (T  Z 

4.  Generates  /c  —  1  random  Paillier  encryptions  [1)2],  • . . ,  [%]. 

5.  Generates  k  —  1  random  bits  bi 

6.  Generate  a  random  tape  for  2 ( k  —  1 )  Paillier  encryptions  coins 

7.  Outputs 

({KJ}*Li,Z,  PKqp,  PKp; 

c°ins; 

{  [wl  }?=2 ,  { M } i—2 ,  K (argmax  a*)) 

i 

We  define  the  following  hybrids: 

.  H0  =  VaUK],  . . . ,  lak},l,  SKqp,  PKqp,  SKp,  PKp) 

.  Hx  =  ({[ajJljL,,  l,  PKqp,  PKp; 

{»"i}i=2>  {si}i=2>  coins; 

{[wlli=2.  {CM}i=2J  ^(argmaXi  ai)) 

•  H2  =  ({Kl}t1,/,  PKqp,  PKp; 

7r,{^}L2,{si}L2,  coins; 

{[wlli=2.  {[^l}i=2. 7r(argmaxi  a*)) 

•  H3  =  5A([a1],...,[a*,],Z,  PKqp,  PKp,  argma^Oj) 
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By  semantic  security  of  Paillier’s  cryptosystem, 

({MILi^PKqp,  PKp;  7T,  {r4}?=2,  {*i}i=2; 

{ M  }*=  2 ,  { Ikl  }i= 2 , 7t(argmax  a* ) ) 

i 

({[ai]}?=i, i.PK Qfl,  PKp; tt, {r<}?=2, {.s,}f-2;. 

{[«*1}?=2>  {[Ml i=2 7r (argmax  a j ) ) 

i 

and  fJ0  =c  Hi  as  7r(argmaxi  a,;)  =  to 

Given  that  the  r,;,  .s,  and  coins  are  generated  according  to  the  same  distribution  as  r,;,  s,;  (uniform  over  (0,  2)(+A  n  Z) 
and  coins  (random  tape  for  2(fc  —  1)  Paillier  encryptions),  and  that  they  are  completely  independent  from  the  v,  or  n, 
the  hybrids  Hi  and  II  >  are  equal. 

Similarly,  the  distribution  of  (7 r,  7r(argmaxi  a*))  and 

(7 f ,  7r(argmax,  a*))  are  exactly  the  same.  As  7r  and  7t  are  independent  from  the  other  parameters,  we  also  have  Hi  =  H3. 
Hence,  we  showed  that 

SKqp,  PKqp, SKP,  PKp) 

=c  SA({la,i}}i=i,l,  PKqp,  PKp,  argmaxai). 

i 

B’s  view  is 

VB  =  (SKp,  SKqp,  Z;  coins;  {bt}^=2,  {[m']}*L2,  {[a']}*L2) 

where  coins  are  the  random  coins  for  k  —  1  Paillier  cyphertext  refresh.  The  simulator  ,3'p(SK p,  SKqp,  l)  runs  as 
follows: 

1.  Generates  a  random  permutation  7r  of  {1, . . . ,  k} 

2.  Set  [di]  =  [i] 

3.  Run  the  protocol  with  the  [a,]  as  input  data,  7r  as  the  permutation,  and  same  parameters  otherwise.  Let 
(SKp,  SKqp,  l;  coins;  {&i}*L2,  {[m-]}i=2>  {KllL 2)  be  B’s  view  of  this  mn- 

4.  Outputs 

(SKp,  SKqp,  /;  coins;  {^}f=2,  {[m']}f=2,  {[a']}^=2) 

Let  p  :  {ai}i<i<fc  1— 5-  {1, . . . ,  k}  be  the  function  that  associates  a,  to  its  rank  among  the  a,;  (in  ascendent  order). 
Let  us  fix  the  permutation  tt  for  a  while  and  define  the  following  hybrids: 

0.  H0  =  Vb({[oi]}ti,  l,  SKqp,  PKqp,  SKp,  PKp) 

1.  ifr  =  Vb({[p(a1)]},*L1,Z,  SKqp,  PKqp,  SKp,  PKp) 

We  will  show  that  these  hybrids  are  statistically  equal  for  every  permutation  7 r. 

As  p(.)  is  a  map  that  does  not  change  the  order  of  the  a*,  we  have  that  for  all  i,  j ,  a,  <  aj  p(a,)  <  p{aj).  As 
a  consequence,  for  a  given  permutation  7 r,  the  bits  6,;  do  not  change  if  we  replace  the  a,;  by  />(«,).  Similarly,  the  way 
the  a'  and  m!i  are  generated  for  Hq  and  ! I\  is  the  same:  blinding  by  adding  random  noise  from  (0, 2A+i  (~l  Z).  Thus, 

H0=sHi. 

Now,  we  want  to  show  that  Hi  =s  S(b(SKp ,  SKqp,  l)  -  we  do  not  fix  7r  anymore.  Let  7To  be  the  permutation  such 
that  p{at)  =  7To(i).  We  can  then  rewrite  Hi  as 

Hi  =  Vb([7To(1)],  •  •  • ,  lMk)l  l,  SKqp,  PKqp,  SKp,  PKp) 

As  7t  and  7r  o  7r0  are  statistically  indistinguishable,  we  have  Hi  =s  Sb{SKp ,  SKqp,  l ):  recall  that  Sp’s  output  is  the 
view  of  B  when  the  protocol  is  run  with  the  set  {a,;  =  * }  as  input  set  and  7r  as  the  permutation.  Hence 

VbAM,  . . . ,  KU  SKqp,  PKqp,  SKp,  PKp) 

=s  Sp(SKp,  SKqp,  l) 
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We  conclude  the  proof  of  security  using  modular  sequential  composition.  We  replace  the  ideal  calls  for  computing 
the  encrypted  bits  bi  by  the  provable  secure  Protocol  8  and  invoke  Theorem  B.2  to  prove  security  in  the  semi-honest 
model.  □ 


C.2  Changing  the  encryption  scheme 


Proof  of  Proposition  4.2.  In  this  protocol  the  computed  function  is  probabilistic,  and  we  have  to  show  security  according 
to  the  full  definition  (cf.  section  B.  ).  The  function  is  /: 

/([c]1,PK1,PK2,SK1,SK2)  =  ([c]2,0) 

For  the  sake  of  simplicity,  we  do  not  take  into  account  the  randomness  used  for  the  encryptions  of  r  for  A  and  3  for  B. 
As  before,  the  distribution  of  these  coins  for  one  party  is  completely  independent  of  the  other  elements  to  be  taken  in 
account  in  the  simulations,  so  we  just  do  not  mention  them  in  security  proof. 

As  view  is  Va  =  (PKi,  PK2,  [c]i;  r;  |c/]2).  A’s  output  is  [c]2.  The  simulator  Sa(PKi,  PK2j  |c]i)  runs  as  follows: 

1 .  Picks  uniformly  at  random  f  4—  M  and  3  4—  M. 

2.  Generates  the  encryption  [c']2  of  3  under  E2. 

3.  Outputs  (PKi,  PK2)  [c]i;r;  |c']2). 

r  and  f  are  taken  from  the  same  distribution,  independently  from  any  other  parameter,  so 

{(PKi,  PK2)  [c]i;  r;  [c']2);  /([c] r,  PK1:  PK2,  SK1;  SK2)} 

=  {(PK1,PK2,[c]1;r;[c,]2);/([c]1,PK1,PK2,SK1,SK2)} 

(3  depends  on  r  but  does  not  appear  in  the  previous  distributions).  By  semantic  security  of  scheme  E2  we  have  that 

{(PKl  PK2,  [c] i ;  r;  [S'],);  /([c]1;  PK1;  PK2,  SKX,  SK2)} 

=c  {(PKi,  PK2,  [c]i;r;  |c']2);  |c]2} 


and  so 


{<S2a([[c]1,  PKx,  PK2),  /([c]r,  PKi,  PK2,  SK1;  SK2)} 

=c  {Va([c]1;  PKX,  PK2,  SK1;  SK2),  Output([c]i,  PK1;  PK2,  SK1;  SK2)} 

B’s  view  is  Vb  =  (SKl5  SK2;  [c  +  r]i).  We  build  a  simulator  Sb(SKi,  SK2): 

1 .  Picks  a  random  c  4—  M. 

2.  Encrypt  c  under  Ei. 

3.  Outputs  (SKi,  SK2,  |c]i). 

Again,  the  distribution  of  c  and  c  +  r  are  identical,  so  the  real  distribution  {(SKi,  SK2;  [c  +  r]r);  |c] 2 }  and  the 
ideal  distribution  {(SKi,  SK2;  [f]i);  /([c]i,  PKi,  PK2,  SKi,  S K2 ) }  are  statistically  indistinguishable.  □ 

C.3  Computing  dot  products 

Proof  of  Proposition  4.3.  As  B  does  not  receive  any  message,  its  view  only  consists  in  its  input  and  its  random  tape 
used  for  the  encryptions.  Hence  the  simulator  Sb  simply  generate  random  coins  and 

Sb{v,  SKp)  =  (y,  SKP;  coins)  =  VB(x,  y,  SKP,  PKP). 

where  rand  are  the  random  coins. 

A’s  view  is  Va  =  {x,  PKp;  rA\  [3/1] ,  ■  •  ■ ,  [t/n])-  On  input  (x,  PKp,  [p]),  the  simulator  Sa  does  the  following: 
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1.  Generates  n  encryptions  of  0  using  Paillier:  c\,. . .  ,cn. 

2.  Generates  the  random  coins  necessary  for  a  Paillier  re-randomization  and  put  them  in  coins. 

3.  Outputs  (x,  PKp;  coins;  Ci, . . . ,  cn ). 

coins  and  coins  come  from  the  same  distribution,  independently  from  other  parameters.  Thus, 

{{x,  PKP;  coins;  Cl  ,...,cn);  [(x,  y}]} 

=  {(x,  PKp;  coins;  Ci, . . . ,  c„);  [(x,  y)J} 

and  by  semantic  security  of  Paillier, 

{(x,  PKp;  coins;  a, . . . ,  cn);  [(x,  y)]} 

=C  (0,  PKp;  coins;  [yi], . . . ,  |ynJ);  [u]} 

i.e.,  when  /  is  f(x,y,  SKP,  PKp)  =  ([(x,  y)],  0) 

{SU(x,  PKp,  [«]);  /(x,  y,  SKP,  PKP)} 

=C  {Va{x,  V,  SKp,  PKp);  Output(x,  y,  SKP,  PKP)} 


n 


C.4  Classifiers 

Hyperplane  decision 

Proof  of  Proposition  5.1.  The  client’s  view  is 

=  (PKp,  PKqHjx;  {[«<]}?=!,  <o). 

The  simulator  Sc,  on  input  (PKp,  SKqp,  x,  k*)  where  k*  =  argmax(wj,  x)  does  the  following: 

ie[fc] 

1.  Generate  k  random  Paillier  encryptions  [tij] 

2.  Output  (PKp,  SKqp,  x;  {[w]}*=1,  k*) 

As  the  index  i0  that  the  client  receives  is  its  output,  and  as  Paillier’s  cryptosystem  is  semantically  secure,  the 
distributions  Sc  =  (PKp,  SKQR,  x;  {[u]}*=1,  k*)  and  Vc  =  (PKP,  SKQp,  x;  {[ui]}f=1,  i0)  are  computationally 
indistinguishable. 

As  the  server  views  nothing  but  its  inputs  (the  server  does  not  receive  any  message  in  the  hybrid  model),  we  use  for 
the  trivial  simulator  that  just  outputs  its  inputs  for  the  proof  of  security. 

As  Protocols  and  3  are  secure  in  the  honest-but-curious  model,  we  obtain  the  security  of  the  hyperplane  decision 
protocol  using  modular  sequential  composition  (Theorem  B.2).  □ 

Bayes  classifier 

Proof  of  Proposition  6.1.  The  client’s  view  is 

Vc  =  ( PKP,SKQp,x;  [P],{[Ti;j]},i0). 

The  simulator  Sc,  on  input  (PKp,  SKgp,  x,  imax )  where  imax  =  argmax  -  P (C  =  Cj\X  =  x), 

•  generates  tables  of  random  Paillier  encryptions  [P]  and  {[T*  j]}; 

•  outputs  (PKp,SKQp,x;[P],{[fi):,']},imax). 
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As  the  integer  i o  that  the  client  receives  is  its  output,  and  as  Paillier’s  cryptosystem  is  semantically  secure, 
the  distributions  Sc  =  (PKP,  SKQP,  x\  [PJ,  {[T^-]},  imax)  and  Vc  =  (PKP,  SKQP,  x;  [P],  {[T^-]},  i0)  are 
computationally  indistinguishable. 

Again,  as  the  server  views  nothing  but  its  inputs  (the  server  does  not  receive  any  message  in  the  hybrid  model),  we 
use  the  trivial  simulator  that  outputs  its  inputs  and  the  random  coins  for  the  encryption  for  the  proof  of  security. 

As  Protocol  I  is  secure  in  the  honest-but-curious  model,  we  obtain  the  security  of  the  hyperplane  decision  protocol 
using  modular  sequential  composition  (Theorem  B.2).  □ 

Decision  tree 

Proof  of  Proposition  7.1.  The  proof  of  security  for  the  server  is  very  easily  obtained  using  modular  sequential 
composition  of  the  comparison  protocol  and  Protocol  2:  in  the  hybrid  model,  the  client  receives  nothing  but  the 
encrypted  result. 

For  the  client  also  the  proof  is  trivial,  using  modular  sequential  composition  and  the  semantical  security  of  QR  and 
of  the  FHE  scheme:  the  encryptions  of  bits  bi  are  computational  indistinguishable  from  random  bits  whether  they  are 
encrypted  under  QR  or  the  FHE  scheme.  □ 
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Functional  Encryption  with  Bounded  Collusions  via 
Multi-Party  Computation* 

Sergey  Gorbunod  Vinod  Vaikuntanatharr  Hoeteck  WeF 

September  5,  2012 


Abstract 

We  construct  a  functional  encryption  scheme  secure  against  an  a-priori  bounded  polynomial 
number  of  collusions  for  the  class  of  all  polynomial-size  circuits.  Our  constructions  require  only 
semantically  secure  public-key  encryption  schemes  and  pseudorandom  generators  computable 
by  small-depth  circuits  (known  to  be  implied  by  most  concrete  intractability  assumptions) .  For 
certain  special  cases  such  as  predicate  encryption  schemes  with  public  index,  the  construction 
requires  only  semantically  secure  encryption  schemes,  which  is  clearly  the  minimal  necessary 
assumption. 

Our  constructions  rely  heavily  on  techniques  from  secure  multi-party  computation  and 
randomized  encodings.  All  our  constructions  are  secure  under  a  strong,  adaptive  simulation- 
based  definition  of  functional  encryption. 
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1  Introduction 


Traditional  notions  of  public-key  encryption  provide  all-or-nothing  access  to  data:  users  who  possess 
the  secret  key  can  recover  the  entire  message  from  a  ciphertext,  whereas  those  who  do  not  know 
the  secret  key  learn  nothing  at  all.  While  such  “black-and-white”  notions  of  encryption  have 
served  us  well  for  the  past  thirty  years  and  are  indeed  being  widely  used  for  secure  communications 
and  storage,  it  is  time  to  move  beyond.  In  particular,  the  advent  of  cloud  computing  and  the 
resulting  demand  for  privacy-preserving  technologies  demands  a  much  more  fine-grained  access 
control  mechanism  for  encrypted  data. 

Boneh,  Sahai  and  Waters  [BSW11]  recently  formalized  the  notion  of  functional  encryption  to¬ 
wards  this  end,  building  on  and  generalizing  a  number  of  previous  constructs  including  (anonymous) 
identity-based  encryption  (IBE)  [Sha84,  BF01,  CocOl,  BW06],  fuzzy  IBE  [SW05],  attribute-based 
encryption  (ABE)  [GPSW06,  LOS+10],  and  predicate  encryption  [KSW08,  LOS+10].  Informally, 
a  functional  encryption  scheme  for  a  circuit  family  C  associates  secret  keys  SKc  with  every  circuit 
C,  and  ciphertexts  CT  with  every  input  x.  The  owner  of  the  secret  key  SK<7  and  the  ciphertext  CT 
should  be  able  to  obtain  C{x),  but  learn  nothing  else  about  the  input  message  x  itself.1  Moreover, 
security  should  hold  against  collusions  amongst  “key  holders”,  namely,  a  collusion  of  users  that 
hold  secret  keys  SKc, , . . . ,  SKq  and  an  encryption  of  x  should  learn  nothing  else  about  x  apart 
from  C±(x), ,  Cq(x). 

Functional  encryption  transparently  captures  as  special  cases  a  number  of  familiar  notions  of 
encryption,  such  as  identity-based  encryption  (IBE),  anonymous  IBE,  fuzzy  IBE,  attribute-based 
encryption  and  so  forth.  For  example,  an  identity-based  encryption  scheme  can  be  seen  as  a 
functional  encryption  scheme  for  the  following  family  of  circuits  parametrized  by  the  identity: 

,  \  f  (id,  n)  if  id  =  id7 

id' l1  i  W  |  (id,  _L)  otherwise 

In  a  similar  vein,  fuzzy  IBE  schemes  correspond  to  a  circuit  that  detects  proximity  between  two 
strings,  and  attribute  based  encryption  schemes  correspond  to  circuit  that  can  be  computed  by 
Boolean  formulas.  The  central  and  challenging  open  question  in  the  study  of  functional  encryption 
is: 


Can  we  build  a  functional  encryption  scheme  for  the  class  of  all  poly-size  circuits? 

To  date,  constructions  of  functional  encryption  are  known  only  for  these  limited  classes  of 
circuits  (see  [BF01,  CocOl,  SW05,  GPSW06,  KSW08,  LOS+10]  and  others).  More  concretely,  the 
state-of-the-art  constructions  are  limited  to  predicate  encryption  schemes,  where  the  predicate  itself 
is  computable  by  a  “low  complexity”  class,  such  as  Boolean  formula  and  inner  product  over  fields, 
both  of  which  are  computable  in  NCI.  In  particular,  a  large  part  of  the  difficulty  in  constructing 
functional  encryption  schemes  lies  in  the  fact  that  we  typically  require  security  against  a-priori 
unbounded  collusions,  namely,  adversaries  who  obtain  secret  keys  for  an  unbounded  number  of 
circuits  C\, . . . ,  Cq.  This  raises  the  following  natural  question:  can  we  build  functional  encryption 
schemes  for  arbitrary  circuits  for  some  meaningful  relaxation  of  this  security  requirement? 

1  We  do  not  require  the  circuit  C  to  be  secret  throughout  this  work,  and  in  most  literature  on  functional  encryption. 
For  the  singular  exception,  see  the  work  of  Shi,  Shen  and  Waters  [SSW09]. 
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Functional  Encryption  for  Bounded  Collusions.  In  this  work,  we  initiate  a  systematic  study 
of  functional  encryption  for  bounded  collusions.  We  consider  a  relaxed  notion  of  security  where 
the  adversary  is  given  secret  keys  for  an  a-priori  bounded  number  of  circuits  C\ , . . . ,  Cq  of  her 
choice  (which  can  be  made  adaptively).  This  notion,  which  we  call  (/-bounded  security  (or  security 
against  q  collusions),  is  a  natural  relaxation  of  the  strong  definition  above,  and  could  be  sufficient 
in  a  number  of  practical  use-case  scenarios.  Our  main  result  in  this  paper  is  a  construction  of 
(/-bounded  secure  functional  encryption  schemes  for  arbitrary  polynomial-size  circuit  families  under 
mild  cryptographic  assumptions. 

The  question  of  designing  IBE  schemes  with  bounded  collusions  has  been  considered  in  a 
number  of  works  [DKXY02,  CHH+07,  GLW12].  The  functional  encryption  setting  presents 
us  with  a  significantly  richer  landscape  since  (1)  a  secret  key  SKc  can  be  used  to  obtain 
(partial)  information  about  many  messages,  as  opposed  to  IBE  where  a  secret  key  decrypts 
only  ciphertexts  for  a  single  identity,  and  (2)  the  partial  information  is  a  result  of  a  potentially 
complex  computation  on  the  message  itself.  Our  constructions  leverage  interesting  ideas  from  the 
study  of  (information-theoretic)  multi-party  computation  [BGW88,  BMR90,  DI05]  and  randomized 
encodings  [Yao86,  IKOO,  AIK06]. 

We  stress  that  (/-bounded  security  does  not  restrict  the  system  from  issuing  an  unbounded 
number  of  secret  keys.  We  guarantee  security  against  any  adversary  that  gets  hold  of  at  most  q  keys. 
Specifically,  our  security  definition  achieves  security  against  multiple  “independent”  collusions,  as 
long  as  each  collusion  has  size  at  most  q.  Indeed,  it  is  not  clear  how  to  achieve  such  a  security 
notion  for  general  circuits  even  in  the  stateful  setting  where  the  system  is  allowed  to  maintain  a 
counter  while  issuing  secret  keys  (analogous  to  the  early  notion  of  stateful  signatures).  We  note 
that  our  construction  does  not  require  maintaining  any  state. 


1.1  Our  Results 


The  main  result  of  this  work  is  the  construction  of  a  (/-query  functional  encryption  scheme  for  the 
class  of  all  polynomial-size  circuits.  Our  construction  is  based  on  the  existence  of  semantically  secure 
public  key  encryption  schemes,  and  pseudorandom  generators  (PRG)  computable  by  polynomials 
of  degree  poly  (re),  where  k  is  the  security  parameter.  The  former  is  clearly  a  necessary  assumption, 
and  the  latter  is  a  relatively  mild  assumption  which,  in  particular,  is  implied  by  most  concrete 
intractability  assumptions  commonly  used  in  cryptography,  such  as  ones  related  to  factoring, 
discrete  logarithm,  or  lattice  problems. 

An  important  special  case  of  functional  encryption  that  we  will  be  interested  in  is  predicate 
encryption  with  public  index  (which  is  also  called  attribute-based  encryption  by  some  authors). 
This  corresponds  to  a  circuit  family  C  parametrized  by  predicates  g  and  defined  as: 


Cg(\nd,ia) 


(ind,/x)  if  (/(ind)  =  true 
(ind,  Y)  otherwise 


Here,  ind  is  the  so-called  public  index,  and  p  is  sometimes  refered  to  as  the  payload  message. 
For  the  special  case  of  predicate  encryption  schemes  with  public  index,  our  construction  handles 
arbitrary  polynomial-size  circuits  while  relying  solely  on  the  existence  of  semantically  secure  public- 
key  encryption  schemes,  which  is  clearly  the  minimal  necessary  assumption.  In  particular,  we  do 
not  need  the  “bounded-degree  PRG”  assumption  for  this  construction. 

In  contrast,  functional  encryption  schemes  that  handle  an  unbounded  number  of  secret-key 
queries  are  known  only  for  very  limited  classes  of  circuit  families,  the  most  general  being  inner 
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product  predicates  [KSW08,  LOS+10,  OTIO].  In  particular,  constructing  an  unbounded-query 
secure  functional  encryption  scheme  for  general  circuit  families  is  considered  a  major  open  problem 
in  this  area  [BSW11].  As  for  functional  encryption  schemes  with  public  index  (also  referred  to 
as  “attribute-based  encryption”  by  some  authors)  that  handle  an  unbounded  number  of  secret- 
key  queries,  there  are  a  handful  of  constructions  for  polynomial-size  formulas  [GPSW06,  OSW07], 
which  themselves  are  a  sub-class  of  NCI  circuits. 

We  will  henceforth  refer  to  a  functional  encryption  scheme  that  supports  arbitrary  polynomial- 
size  circuits  as  a  general  functional  encryption  scheme.  Summarizing  this  discussion,  we  show: 

Theorem  1.1  (Main  Theorem,  Informal).  Let  k  be  a  security  parameter.  Assuming  the  existence 
of  semantically  secure  encryption  schemes  as  well  as  PRGs  computable  by  arithmetic  circuits  of 
degree-poly (k),  for  every  q  =  q(n),  there  exists  a  general  functional  encryption  scheme  secure 
against  q  secret  key  queries. 

Corollary  1.2  (Informal).  Let  n  be  a  security  parameter.  Assuming  the  existence  of  semantically 
secure  encryption  schemes,  for  every  q  =  q(n),  there  exists  a  general  predicate  encryption  scheme 
with  public  index  secure  against  q  secret  key  queries. 

We  have  so  far  avoided  discussing  the  issue  of  which  security  definition  to  use  for  functional 
encryption.  Indeed,  there  are  a  number  of  different  definitions  in  the  literature,  including  both 
indistinguishability  style  and  simulation  style  definitions.  In  a  nutshell,  we  prove  our  constructions 
secure  under  a  strong,  adaptive  simulation-based  definition;  see  Section  1.3  for  details. 

1.2  Overview  of  Our  Constructions 

We  proceed  with  an  overview  of  our  construction  of  a  g-bounded  general  functional  encryption 
scheme. 

Starting  point.  The  starting  point  of  our  constructions  is  the  fact,  observed  by  Sahai  and 
Seyalioglu  [SS10],  that  general  functional  encryption  schemes  resilient  against  a  single  secret-key 
query  can  be  readily  constructed  using  the  beautiful  machinery  of  Yao’s  “garbled  circuits”  [Yao86] 
(and  in  fact,  more  generally,  from  randomized  encodings  [IKOO,  AIK06]).2  The  construction  given  in 
[SS10]  only  achieves  “selective,  non-adaptive”  security,  where  the  adversary  must  specify  the  input 
message  x  before  it  sees  the  public  key,  and  the  single  key  query  C  before  it  sees  the  challenge 
ciphertext.  We  show  how  to  overcome  these  limitations  and  achieve  “full  adaptive  security”  (for 
a  single  key  query)  by  using  techniques  from  non-committing  encryption  [CFGN96],  while  still 
relying  only  on  the  existence  of  semantically  secure  encryption  schemes.  All  of  our  constructions 
henceforth  also  achieve  full  adaptive  security. 

Building  on  this,  our  construction  proceeds  in  two  steps. 

1.2.1  Functional  Encryption  for  NCI  Circuits 

In  the  first  step,  we  show  how  to  construct  a  g-query  functional  encryption  scheme  for  NCI  circuits 
starting  from  any  1-query  scheme. 

2We  note  that  [SS10]  is  completely  insecure  for  collusions  of  size  two:  in  particular,  given  two  secret  keys  SK0« 
and  SKj^,  an  adversary  can  derive  the  SKc  for  any  other  C,  and  moreover,  completely  recover  x. 
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We  denote  a  “degree”  of  a  circuit  C  as  the  degree  of  the  polynomial  computing  C  in  the  variables 
of  x.  A  degree  of  a  circuit  family  denotes  the  maximum  degree  of  a  circuit  in  the  family.  Let  D 
denote  the  degree  of  NCI  family.  The  complexity  of  our  construction  will  be  polynomial  in  both 
D  and  q ,  where  q  is  the  number  of  secret  keys  the  adversary  is  allowed  to  see  before  he  gets  the 
challenge  ciphertext.  This  step  does  not  require  any  additional  assumption  (beyond  semantically 
secure  public  key  encryption). 

The  high  level  approach  is  as  follows:  we  will  run  N  independent  copies  of  the  1-query  scheme. 
To  encrypt,  we  will  encrypt  the  views  of  some  IV-party  MPC  protocol  computing  some  functionality 
related  to  C  (aka  “MPC  in  the  head”  [IKOS07]).  As  the  underlying  MPC  protocol,  we  will  rely 
on  the  BGW  semi-honest  MPC  protocol  without  degree  reduction  (c.f.  [DI05,  Section  2.2]).  We 
will  exploit  the  fact  that  this  protocol  is  completely  non-interactive  when  used  to  compute  bounded- 
degree  functions. 

We  proceed  to  sketch  the  construction.  Suppose  the  encryptor  holds  input  x  =  (aq, . . . ,  xg),  the 
decryptor  holds  circuit  C,  and  the  goal  is  for  the  decryptor  to  learn  C(aq, . . . ,  xg).  In  addition,  we 
fix  t  and  N  to  be  parameters  of  the  construction. 

•  The  public  keys  of  the  system  consists  of  N  independent  public  keys  for  the  1-query  scheme  for 
the  same  family  C(-).  The  key  generation  algorithm  associates  the  decryptor  with  a  random 
subset  rc  [N]  of  size  Dt  +  1  and  generates  secret  keys  for  the  public  keys  MPK,;  for  j  £  T. 
(Note  key  generation  is  already  a  point  of  departure  from  previous  ^-bounded  IBE  schemes 
in  [DKXY02,  CHH+07]  where  the  subset  T  is  completely  determined  by  C.) 

•  To  encrypt  x,  the  encryptor  first  chooses  £  random  polynomials  /q, . . . ,/j,g  of  degree  t  with 
constant  terms  aq ,xg  respectively.  The  encryptor  computes  CT^  to  be  the  encryption  of 
(/q (i), . . . ,  ng(i))  under  the  z’th  public  key,  and  sends  (CTi, . . . ,  CTtv)- 

•  To  decrypt,  observe  that  since  C(-)  has  degree  at  most  D, 

P(-)  :=C(W(-),...,^(-)) 

is  a  univariate  polynomial  of  degree  at  most  Dt  and  whose  constant  term  is  C(x  1, . . .  ,xg). 
Now,  upon  decrypting  CT;  for  each  i  6  T,  the  decryptor  recovers  P(i)  =  C(/q(i), . . .  ,fig(i)). 
It  can  then  recover  P( 0)  =  C(x i, . . . ,  xg)  via  polynomial  interpolation. 

The  key  question  now  is:  what  happens  when  q  of  the  decryptors  collude?  Let  Ti, . . . ,  Tq  C  [N]  be 
the  (uniformly  random)  sets  chosen  for  each  of  the  q  secret  key  queries  of  the  adversary.  Whenever 
two  of  these  sets  intersect,  the  adversary  obtains  two  distinct  secret  keys  for  the  same  public  key  in 
the  underlying  one-query  FE  scheme.  More  precisely,  for  every  j  E  Ti  n  T2,  the  adversary  obtains 
two  secret  keys  under  the  public  key  MPKj.  Since  security  of  MPKj  is  only  guaranteed  under  a 
single  adversarial  query,  we  have  to  contend  with  the  possibility  that  in  this  event,  the  adversary 
can  potentially  completely  break  the  security  of  the  public  key  MPKj,  and  learn  a  share  of  the 
encrypted  message  x. 

In  particular,  to  guarantee  security,  we  require  that  sets  Ti,...,Tg  have  small  pairwise 
intersections  which  holds  for  a  uniformly  random  choice  of  the  sets  under  an  appropriate  choice  of 
the  parameters  t  and  N.  With  small  pairwise  intersections,  the  adversary  is  guaranteed  to  learn  at 
most  t  shares  of  the  input  message  x,  which  together  reveal  no  information  about  x. 

For  technical  reasons,  this  is  not  sufficient  to  establish  security  of  the  basic  scheme.  The  first 
issue,  which  already  arises  for  a  single  key  query,  is  that  we  need  to  randomize  the  polynomial  P 
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by  adding  a  random  share  of  0;  this  is  needed  to  ensure  that  the  evaluations  of  P  correspond  to  a 
random  share  of  C(x i, . . .  ,xi),  and  indeed,  the  same  issue  also  arises  in  the  BGW  protocol.  More 
generally,  we  need  to  rerandomize  the  polynomial  P  for  each  of  the  q  queries  C\, . . .  ,Cq,  in  order 
to  ensure  that  it  is  consistent  with  random  shares  of  Ci{x  1, . . .  ,xt),  for  i  =  1,2, ...  ,q.  This  can 
be  done  by  having  the  encryptor  hard-code  additional  randomness  into  the  ciphertext.  For  more 
details,  see  Section  5. 

Predicate  encryption  with  public  index.  We  point  out  that  this  construction  also  gives  us 
for  free  a  predicate  encryption  scheme  with  public  index  for  arbitrary  polynomial-size  circuits  (with 
no  a-priori  bound  on  the  degree).  In  this  setting,  it  suffices  to  realize  the  following  family  of  circuits 
parametrized  by  predicates  g: 


Cg{ ind,  /u) 


(ind,  g)  if  g(ind)  =  1 
(ind,  0)  otherwise 


We  can  write  Cg  as: 

Cg( ind,//)  =  (ind, yu  -  g( ind)) 

Since  ind  is  always  part  of  the  output,  we  can  just  publish  ind  “in  the  clear”.  Now,  observe  that 
for  all  ind,  Cg,  we  have  C*9(ind,  g)  is  a  degree  one  function  in  the  input  g. 

To  obtain  a  predicate  encryption  scheme  with  public  index,  we  observe  that  the  construction 
above  satisfies  a  more  general  class  of  circuits.  In  particular,  if  the  input  to  the  encryption  algorithm 
is  composed  of  a  public  input  (that  we  do  not  wish  to  hide)  and  a  secret  input  (that  we  do  wish 
to  hide),  then  the  construction  above  only  requires  that  the  circuit  C  has  small  degree  in  the  bits 
of  the  secret  input.  Informally,  this  is  true  because  we  do  not  care  about  hiding  the  public  input, 
and  thus,  we  will  not  secret  share  it  in  the  construction  above.  Thus,  the  degree  of  the  polynomial 
P(-)  grows  only  with  the  degree  of  C  in  its  secret  inputs.  The  bottom  line  is  that  since  predicate 
encryption  schemes  with  public  index  deal  with  circuits  that  have  very  low  degree  in  the  secret 
input  (degree  1,  in  particular),  our  construction  handles  arbitrary  predicates. 


1.2.2  A  Bootstrapping  Theorem  and  Functional  Encryption  for  P 

In  the  second  step,  we  show  a  “bootstrapping  theorem”  for  functional  encryption  schemes.  In  a 
nutshell,  this  shows  how  to  generically  convert  a  g-query  secure  functional  encryption  scheme  for 
NCI  circuits  into  one  that  is  g-query  secure  for  arbitrary  polynomial-size  circuits,  assuming  in 
addition  the  existence  of  a  pseudo-random  generator  (PRG)  that  can  be  computed  with  circuits  of 
degree  poly(ft).  Such  PRGs  can  be  constructed  based  on  most  concrete  intractability  assumptions 
such  as  those  related  to  factoring,  discrete  logarithms  and  lattices. 

The  main  tool  that  enables  our  bootstrapping  theorem  is  the  notion  of  randomized  en¬ 
codings  [Yao86,  IK00,  AIK06].  Instead  of  using  the  FE  scheme  to  compute  the  (potentially 
complicated)  circuit  C,  we  use  it  to  compute  its  randomized  encoding  C  which  is  typically  a 
much  easier  circuit  to  compute.  In  particular,  secret  keys  are  generated  for  C  and  the  encryption 
algorithm  for  the  bounded-degree  scheme  is  used  to  encrypt  the  pair  (x:  R ),  where  R  is  a  uniformly 
random  string.  The  rough  intuition  for  security  is  that  the  randomized  encoding  C(x]R)  reveals 
“no  more  information  than”  C(x)  itself  and  thus,  this  transformation  does  not  adversely  affect  the 
security  of  the  scheme. 
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Unfortunately,  intuitions  can  be  misleading  and  so  is  this  one.  Note  that  in  the  g-query 
setting,  the  adversary  obtains  not  just  a  single  randomized  encoding,  but  q  of  them,  namely 
C\(x]  R), . . . ,  Cq(x]  R).  Furthermore,  since  all  these  encodings  use  the  same  randomness  R,  the 
regular  notion  of  security  of  randomized  encodings  does  not  apply  as-is.  We  solve  this  issue  by 
hard-coding  a  large  number  of  random  strings  (proportional  to  q )  in  the  ciphertext  and  using 
a  cover-free  set  construction,  ensuring  that  the  adversary  learns  q  randomized  encodings  with 
independently  chosen  randomness.  See  Section  6  for  more  details. 

Putting  this  construction  together  with  a  randomized  encoding  scheme  for  polynomial-size 
circuits  (which  follows  from  Yao’s  garbled  circuits  [Yao86,  AIK06])  whose  complexity  is  essentially 
the  complexity  of  computing  a  PRG,  we  get  our  final  FE  scheme. 

As  a  bonus,  we  show  a  completely  different  way  to  bootstrap  g-query  FE  schemes  for  NCI 
circuits  into  a  g-query  FE  scheme  for  any  polynomial-size  circuits,  using  a  fully  homomorphic 
encryption  scheme  [Gen09,  BV11].  See  appendix  7  for  more  details. 

1.3  Definitions  of  Functional  Encryption 

Our  constructions  are  shown  secure  under  a  strong  simulation-based  definition,  in  both  the  adaptive 
and  non-adaptive  sense.  The  non-adaptive  variant  requires  the  adversary  to  make  all  its  secret  key 
queries  before  receiving  the  challenge  ciphertext  whereas  in  the  adaptive  variant,  there  is  no  such 
restriction.  Although  the  adaptive  variant  is  clearly  stronger,  Boneh,  Sahai  and  Waters  [BSW11] 
recently  showed  that  it  is  also  impossible  to  achieve,  even  for  very  simple  circuit  families  (related 
to  IBE).  We  observe  that  the  BSW  impossibility  result  holds  only  if  the  adversary  obtains  an 
unbounded  number  of  ciphertexts  (essentially  because  of  a  related  lower  bound  for  non-committing 
encryption  schemes  with  unbounded  messages).  Faced  with  this  state  of  affairs,  we  show  our 
constructions  are  shown  secure  in  the  non-adaptive  sense,  as  well  as  in  the  adaptive  sense  with  a 
bounded  number  of  messages. 

In  addition,  we  show  a  number  of  implications  between  different  variants  of  these  definitions; 
see  Section  3  and  Appendix  A  for  more  details. 

1.4  A  Perspective:  Bounded-Use  Garbled  Circuits 

The  reason  why  the  construction  of  Sahai  and  Seyalioglu  only  achieves  security  against  collusions 
of  size  1  is  intimately  related  to  the  fact  that  Yao’s  garbled  circuits  become  completely  insecure 
when  used  more  than  once.  Our  constructions  may  be  viewed  as  a  stateless  variant  of  Yao’s  garbled 
circuit  that  can  be  reused  for  some  a-priori  bounded  number  of  executions.  Fix  two-parties  inputs 
to  be  C  and  x.  We  can  view  the  ciphertext  as  encoding  of  a  “universal”  circuit  of  Ux(-)  on  some 
fixed  input  value  x ,  such  that  we  can  “delegate”  computation  on  q  different  inputs  C\. ...  .Cq 
without  leaking  any  information  about  x  beyond  C'i(.x), . . . ,  Cq(x). 

Organization  of  the  Paper.  We  describe  the  preliminaries  and  a  simulation-based  definition  of 
functional  encryption  in  Sections  2  and  3,  respectively.  For  completeness,  we  describe  a  construction 
for  1-query  functional  encryption  and  prove  its  security  in  the  adaptive  setting  in  Section  4.  Readers 
familiar  with  this  construction  can  go  ahead  to  the  next  section.  We  describe  our  Construction  1 
for  NCI  circuits  in  Section  5  and  our  Construction  2  for  bootstrapping  in  Section  6.  An  additional 
FHE-based  Construction  3  for  bootstrapping  is  presented  in  Section  7.  An  interested  reader  is 
referred  to  the  appendices  for  the  definitional  implications. 
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2  Preliminaries 


Notations.  Let  V  denote  a  distribution  over  some  finite  set  S.  Then,  x  4—  V  is  used  to  denote 
the  fact  that  x  is  chosen  from  the  distribution  V.  When  we  say  x  4—  S',  we  simply  mean  that  x 
is  chosen  from  the  uniform  distribution  over  S.  Unless  explicitly  mentioned,  all  logarithms  are  to 
base  2.  For  n  E  N,  let  [n]  denote  the  set  of  numbers  1, . . . ,  n.  Let  k  denote  the  security  parameter. 


2.1  Functional  Encryption 

Let  X  =  {TK}KeN  and  y  =  {TkJksn  denote  ensembles  where  each  XK  and  yK  is  a  finite  set.  Let 
C  =  denote  an  ensemble  where  each  CK  is  a  finite  collection  of  circuits,  and  each  circuit 

C  E  CK  takes  as  input  a  string  x  E  XK  and  outputs  C(x)  E  yK. 

A  functional  encryption  scheme  TS  for  C  consists  of  four  algorithms  TE  =  (FE. Setup,  FE.  Keygen, 
FE.Enc,  FE.Dec)  defined  as  follows. 

•  Setup  FE.Setup(lK)  is  a  p.p.t.  algorithm  takes  as  input  the  unary  representation  of  the 
security  parameter  and  outputs  the  master  public  and  secret  keys  (MPK,  MSK). 

•  Key  Generation  FE.Keygen(MSK,  C)  is  a  p.p.t.  algorithm  that  takes  as  input  the  master 
secret  key  MSK  and  a  circuit  C  &  CK  and  outputs  a  corresponding  secret  key  SK^. 

•  Encryption  FE.Enc(MPK,  x)  is  a  p.p.t.  algorithm  that  takes  as  input  the  master  public  key 
MPK  and  an  input  message  x  E  XK  and  outputs  a  ciphertext  CT. 

•  Decryption  FE.Dec(SKc,  CT)  is  a  deterministic  algorithm  that  takes  as  input  the  secret  key 
SKc  and  a  ciphertext  CT  and  outputs  C(x). 


Definition  2.1  (Correctness).  A  functional  encryption  scheme  TE  is  correct  if  for  all  C  G  CK  and 
all  x  G  XK, 


Pr 


(MPK,  MSK)  4-  FE.Setup(lK); 

FE.Dec(FE.  Keygen  (MSK,  C),  FE.Enc(MPK,  x))  +  C(x) 


=  negl(z-c) 


where  the  probability  is  taken  over  the  coins  o/FE. Setup.  FE. Keygen,  and  FE.Enc. 


Refer  to  Section  3  for  the  security  definition. 


2.2  Shamir’s  Secret  Sharing 

We  assume  familiarity  with  Shamir’s  secret-sharing  scheme  [Sha79]  which  works  as  follows:  Let  F 
be  a  finite  held  and  let  x  =  (x,\ , . . . ,  xn)  be  a  vector  of  any  distinct  non-zero  elements  of  F,  where 
n  <  |F|.  Shamir’s  t-out-of-n  secret-sharing  scheme  works  as  follows: 

•  To  share  a  secret  Me  F,  the  sharing  algorithm  SS.Sharetin(M)  chooses  a  random  univariate 
polynomial  fi{x)  of  degree  t  with  constant  coefficient  M.  The  n  shares  are  fi(xi), . . .  ,fj,(xn). 

Note  that  any  t  or  fewer  shares  look  uniformly  random. 

•  The  reconstruction  algorithm  SS. Reconstruct  takes  as  input  t  +  1  shares  and  uses  Lagrange 
interpolation  to  find  a  unique  degree-f  polynomial  fi(-)  that  passes  through  the  share  points. 
Finally,  it  computes  //( 0)  to  recover  the  secret. 
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An  important  property  of  this  scheme  is  that  it  permits  computation  on  the  shares,  a  feature 
used  in  many  multi-party  computation  protocols  starting  from  [BGW88].  In  particular,  adding 
shares  gives  us  fi\ (i)  +  /X2 (*)  =  (^1  +  1^2) (i)  meaning  that  that  sharing  scheme  is  additively 
homomorphic.  Multiplying  shares  gives  us  /i\ (i)/J.2(i)  =  (/UM2 )(*)  meaning  that  the  scheme  is 
also  multiplicatively  homomorphic  (where  //1//2  denotes  the  product  of  the  polynomials).  The 
main  catch  is  that  the  degree  of  the  polynomial  increases  with  the  number  of  multiplications, 
requires  more  shares  to  recover  the  answer  post  multiplication.  In  other  words,  the  scheme  per  se  is 
multiplicatively  homomorphic  for  a  bounded  number  of  multiplications  (but  an  arbitrary  number 
of  additions). 


2.3  Public  Key  Encryption. 

A  public  key  encryption  scheme  VICE  =  (PKE. Setup,  PKE.Enc,  PKE.Dec),  over  message  space  M.  = 

{-MkIksN)  is  a  triple  of  ppt  algorithms  as  follows. 

•  Setup.  PKE.Setup(lre):  takes  a  unary  representation  of  the  security  parameter  and  outputs 
public  and  private  secret  keys  (PK,  SK). 

•  Encryption.  PKE.Encp«(M):  takes  the  public  encryption  key  PK  and  a  message  M  G  MK 
and  outputs  a  ciphertext  CT. 

•  Decryption.  PKE.DecsK(CT):  takes  the  secret  key  SK  and  a  ciphertext  CT  and  outputs  a 
message  M*  G  MK. 

Correctness  and  security  against  chosen  plaintext  attacks  are  defined  as  follows. 

Definition  2.2.  A  public  key  encryption  scheme  VICE  is  correct  if  for  all  M , 


Pr[(PK,  SK)^PKE.Setup(lK);  PKE.DecsK(PKE.EncpK(M))  A  M\  =  negl(/e)  , 


where  the  probability  is  over  the  coins  of  PKE. Setup.  PKE.Enc. 


Definition  2.3.  A  public  key  encryption  scheme  VICE  is  (f,  e)-IND-CPA  secure  if  for  any  adversary 
A  that  runs  in  time  t  it  holds  that 


Pr[APKE  EnCpK('}(lK,  PK)  =  1]  -  Pr[MPKE  EnCpK(0)(lK,  RK)  =  1] 


<  e  , 


where  the  probability  is  over  (PK,  SK)-(— PKE.Setup(lK);  the  coins  of  PKE.Enc  and  the  coins  of  the 
adversary  A. 


2.4  Decomposable  Randomized  Encoding 

Let  C  be  a  circuit  that  takes  inputs  k  G  {0,  l}£,x  G  {0, l}n  and  outputs  C(k,x )  G  {0,  l}m.  A 
decomposable  randomized  encoding  scheme  1ZE  consists  of  two  algorithms  (RE. Encode,  RE. Decode) 
satisfying  the  following  properties: 

1.  Decomposable  Encoding.  RE.Encode(lK,  C,  x):  A  p.p.t.  algorithm  takes  as  inputs  a 
security  parameter,  a  description  of  a  circuit  C,  an  input  x  and  outputs  a  randomized  encoding: 

(Ci(-,  x]  R ), . . . ,  Ci(-,  x;  R ))  for  i  G  [t],  where  Ci(-,x;  R)  depends  only  on  ki 
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2.  Decoding.  RE. Decod e((j/i)|=1):  On  input  of  an  encoding  of  a  circuit  yi  =  Ci(ki,x;R )  for 
some  k  =  (ki, . . .  ,kg)  output  C(k,x). 

3.  Semantic  Security.  We  say  decomposable  randomized  encoding  7Z£  is  secure  if  there  exists 
a  p.p.t.  simulator  RE. Sim,  such  that  for  every  p.p.t.  adversary  A  the  outputs  of  the  following 
two  distributions  are  computationally  indistinguishable: 


1:  (C,k  =  (k i, . .  .,kf),x)  4-  A(  1K) _ 

2:  x;  R))f=i  4—  RE.Encode(lK,C,  x) 

3:  Output  (Ci(ki,X]  R))£i=l) 


1:  (C,  k  =  (fci, . . . ,  ke),x)  <-  A(  1K) _ 

2:  (Ci(ki,  x;  R))f=1  <—  RE.Sim(lK,  C,  C(k,  x)) 
3:  Output  (Ci(ki,x;R))f=1) 


Note  that  such  a  randomized  encoding  for  arbitrary  polynomial-size  circuits  follows  from  Yao’s 
garbled  circuit  construction  [Yao86,  AIK06]. 

3  Security  of  Functional  Encryption  against  Bounded  Collusions 

In  this  section,  we  first  describe  simulation-based  definitions  for  functional  encryption  with 
bounded  collusions,  largely  based  on  the  recent  works  of  Boneh,  Sahai  and  Waters  [BSW11]  and 
O’Neill  [O’NIO].  We  then  go  on  to  discuss  relations  between  various  flavors  of  these  definitions, 
with  details  in  Appendix  A. 

Definition  3.1  (g-NA-SIM-  and  g-AD-SIM-  Security).  Let  TE  be  afunctional  encryption  scheme 
for  a  circuit  family  C  =  3^/c}KgN-  For  every  p.p.t.  adversary  A  =  {A\,  A2)  and  a  p.p.t. 

simulator  S  =  (Si,  S2),  consider  the  following  two  experiments: 


ExP^U(lK): 


EXP £?>(!*): 


1:  (MPK,  MSK)  -e-  FE.Setup(lK) 

2:  (x,St)  •(— A^E  Keygen(MSK,')(MPK) 


1:  (MPK,  MSK)  ^  FE.Setup(lK) 

2.-  (x,st)  AEE'Keygen(MSK’')(MPK) 

►  Let  (Ci, . . . ,  Cq)  be  A 1  ’s  oracle  queries 

►  Let  SK,;  be  the  oracle  reply  to  Ci 


3: 

4 : 
5: 


►  Let  V  :=  {yi  =  Ci(x),  Ci:  SK?:} . 


CT  <-  FE.Enc(MPK, x) 

3: 

(CT ,st')  4-  5i(MPK,  V,  l^l) 

a  4-  j4^’(msk>  )(mpk,  CT,  st) 

4: 

a  4-  A°'(MSK’st'’\  MPK,  CT,  st) 

Output  (a,  x) 

5: 

Output  (a,  x) 

We  distinguish  between  two  cases  of  the  above  experiment: 
1.  The  adaptive  case,  where: 
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•  the  oracle  0(MSK,  •)  =  FE.Keygen(MSK,  •)  and 

•  the  oracle  O' (MSK,  st' ,  ■)  is  the  second  stage  of  the  simulator,  namely  £g  (MSK,  st',  ■) 
where  UX(C )  =  C(x)  for  any  C  £  CK . 

The  simulator  algorithm  £2  is  stateful  in  that  after  each  invocation,  it  updates  the  state  st' 
which  is  carried  over  to  its  next  invocation.  We  call  a  simulator  algorithm  S  =  (Si,  £2) 
admissible  if,  on  each  input  C,  £2  makes  just  a  single  query  to  its  oracle  Ux(-)  on  C  itself. 

The  functional  encryption  scheme  jF£  is  then  said  to  be  g-query  simulation-secure  for  one 
message  against  adaptive  adversaries  (g-AD-SIM-secure,  for  short)  if  there  is  an  admissible 
p.p.t.  simulator  S  =  (Si,  £2)  such  that  for  every  p.p.t.  adversary  A  =  (Ai,  A2)  that  makes  at 
most  q  queries,  the  following  two  distributions  are  computationally  indistinguishable: 


2.  The  non-adaptive  case,  where  the  oracles  0(MSK,-)  and  ©'(MSK,  sf,  •)  are  both  the  “ empty 
oracles”  that  return  nothing:  the  functional  encryption  scheme  TS.  is  then  said  to  be  q- 
query  simulation-secure  for  one  message  against  non-adaptive  adversaries  (q-NA-SIM-secure, 
for  short)  if  there  is  a  p.p.t.  simulator  S  =  (£i,_L)  such  that  for  every  p.p.t.  adversary 
A  =  (^1,^2)  that  makes  at  most  q  queries,  the  two  distributions  above  are  computationally 
indistinguishable. 

Intuitively,  our  security  definition  states  that  any  information  that  the  adversary  is  able  to  learn 
from  the  ciphertext  and  secret  keys,  can  be  obtained  by  a  simulator  from  the  secret  keys  and  the 
outputs  of  the  circuit  alone.  A  number  of  remarks  on  this  definition  are  in  order. 

1.  In  the  non-adaptive  setting,  the  simulator 

(a)  is  not  allowed  to  “program”  the  public  parameters  or  the  pre-ciphertext  secret  key 
queries; 

(b)  given  the  real  public  parameters,  adversary’s  oracle  queries,  corresponding  real  secret 
keys  and  circuit  output  values,  is  asked  to  produce  a  ciphertext  indistinguishable  from 
the  real  ciphertext. 

2.  In  the  adaptive  setting,  in  addition  to  the  above  bullets  the  second  stage  simulator 

(c)  is  given  the  real  MSK  and  is  allowed  to  “program”  the  post-ciphertext  secret  keys. 

3.  Even  if  the  the  adversary  does  not  request  any  secret  keys,  he  learns  the  length  of  x  and 
therefore,  the  simulator  should  be  given  this  information  to  be  on  even  ground  with  the 
adversary.  This  also  ensures  that  the  definition  properly  generalizes  (regular)  public-key 
encryption. 

4.  We  remark  that  our  definitions  imply  (and  are  stronger  than)  those  presented  in  the  work  of 
Boneh,  Sahai  and  Waters  [BSW11]1,  except  we  only  consider  a  single  ciphertext  and  impose 
an  upper  bound  on  the  number  of  secret  key  queries. 

XA  sketch  of  the  proof  is  presented  in  the  Appendix  A. 
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Why  focus  on  this  definition?  First,  as  mentioned  above,  our  definition  is  at  least  as  strong 
as  the  definition  presented  in  [BSW11].  In  addition,  in  Appendix  A  we  show  the  following  relations 
between  the  definitions: 

1.  Relations  between  simulation  and  indistinguishability:  We  show  that  a  single  message 
simulation  definition  implies  single  message  indistinguishability  definition  for  both  non- 
adaptive  and  adaptive  worlds. 

2.  Relations  between  single  and  many  messages  (simulation) :  We  show  that  a  single  message 
non-adaptive  simulation  implies  many  messages  non-adaptive  simulation  definition.  However, 
we  cannot  hope  to  achieve  the  same  implication  for  adaptive  world  due  to  the  impossibility 
results  presented  in  [BSW11]. 

3.  Relations  between  single  and  many  messages  (indistinguishability):  Finally,  we  show  that 
a  single  message  indistinguishability  implies  many  message  indistinguishability  definition  in 
both  the  adaptive  and  non-adaptive  worlds. 

These  definitional  implications  are  summarized  in  Figure  1  and  proved  in  Appendix  A.  As  a 
result  of  these  definitional  implications,  we  focus  on  proving  that  our  constructions  are  secure  under 
the  single  message  simulation  definitions  for  both  adaptive  and  non-adaptive  worlds. 

4  Background  Constructions 

4.1  Adaptive,  Singleton 

Consider  the  following  simple  circuit  family  that  consists  of  a  single  identity  circuit  C  =  {C}, 
input  space  X  =  {0, 1}  and  C(x)  =  x.  We  construct  a  1-AD-SIM-secure  functional  encryption  for 
this  circuit  family,  starting  from  any  CPA-secure  encryption  (PKE. Setup,  PKE.Enc,  PKE.Dec).  (The 
construction  is  inspired  by  techniques  used  in  non-committing  encryption  [CFGN96,  DN00,  KO04].) 

•  Setup  BasicFE.Setup(lK):  Run  PKE. Setup  twice  to  generate  independent  master  public- 
key /secret-key  pairs 

(PKj,  SKi)  <-  PKE.Setup(lK)  for  i  =  0, 1 

Output  the  master  public/secret  key  pair 

MPK  :=  (PK0,  PKi)  and  MSK  :=  (SK0,  SKi) 

•  Key  Generation  BasicFE.Keygen(MSK,  C):  On  input  the  master  secret  key  MSK  and  a 
circuit  C,  pick  a  random  bit  r  <—  {0, 1}  and  output  the  secret  key 

SK  :=  (r,SKr) 

•  Encryption  BasicFE.Enc(MPK, x):  On  input  the  master  public  key  MPK  and  an  input 
message  x  G  {0, 1}:  output  as  ciphertext 

CT  :=  (PKE.Enc(PK0,  x),  PKE.Enc(PKi,®)) 

•  Decryption  BasicFE.Dec(SK,  CT):  On  input  a  secret  key  SK  =  (r,  SKr)  and  a  ciphertext 
CT  =  (CTo,CTi),  output 

PKE.DecSKr(CTr) 
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Correctness.  Correctness  is  straight-forward. 

Security.  We  prove  that  the  scheme  is  1-AD-SI M-secure.  We  define  a  simulator  BasicFE.Sim  that 
proceeds  as  follows: 

•  If  the  adversary  makes  a  secret  key  query  before  seeing  the  ciphertext,  the  simulator  learns 
x  and  can  therefore  simulate  the  ciphertext  perfectly  via  normal  encryption. 

•  If  the  adversary  requests  for  the  ciphertext  first,  then  the  simulator  picks  a  random  bit 
(3  <—  {0, 1}  and  outputs  as  ciphertext: 

CT  :=  (PKE.Enc(PK0,  /?),  PKE.Enc(PK13)) 

When  the  adversary  then  requests  for  a  secret  key,  the  simulator  learns  MSK  =  (SKo,SKi) 
and  x ,  and  outputs  as  the  secret  key: 

SK  :=  (/?  ©  x,SKp&x) 

We  establish  security  via  a  series  of  Games. 

Game  0.  Normal  encryption. 

Game  1.  If  the  adversary  requests  for  the  ciphertext  before  making  a  secret  key  query,  then  we 
modify  the  ciphertext  as  follows: 

CT  :=  (PKE.Enc(PK0,x©r),PKE.Enc(PKi,x©f)) 

Game  2.  Output  of  the  simulator. 

It  is  easy  to  see  that  the  outputs  of  Games  0  and  1  are  computationally  indistinguishable  by  CPA 
security,  and  that  the  outputs  of  Games  1  and  2  are  identically  distributed. 

Extension  to  larger  X.  It  is  easy  to  see  that  this  construction  extends  to  X  =  {0, 1}A  via  A-wise 
repetition  (that  is,  A  independent  master  public  keys,  etc). 

4.2  Adaptive,  “Brute  Force” 

Boneh,  et.  al  [BSW11,  Section  4.1]  presented  a  AD-IND-secure  scheme  for  any  functionality  where 
the  circuit  family  has  polynomial  size,  starting  from  any  semantically  secure  public-key  encryption 
scheme.  For  simplicity,  we  just  write  down  the  construction  for  a  family  of  two  circuits  C  =  {Co,  Ci}, 
which  easily  extends  to  any  poly-size  family.  We  show  that  if  we  replace  the  underlying  encryption 
scheme  with  the  previous  1-AD-SI  M-secure  FE  encryption  for  singleton  circuit  space  C  =  {C*}, 
then  we  obtain  a  1-AD-SI  M-secure  FE  encryption  for  C. 

•  Setup  BFFE.Setup(lK):  Run  BasicFE. Setup  twice  to  generate  independent  master  public- 
key/secret-key  pairs 

( M P K, ,  MSK,)  BasicFE. Setup(lK)  for  i  =  0, 1 

Output  (MPKo,MPKi)  as  the  master  public  key  and  (MSKo,MSKi)  as  the  master  secret  key. 
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•  Key  Generation  BFFE.Keygen(MSK,  Cb):  On  input  the  master  secret  key  MSK  and  a  circuit 

Cb  G  C,  output  as  secret  key  SK b  BasicFE.Keygen(MSKft,  C*). 

•  Encryption  BFFE.Enc(MPK, x):  On  input  the  master  public  key  MPK  and  an  input  message 
x  6  X ,  output  as  ciphertext 

CT  :=  (BasicFE.Enc(MPK0,C,o(.T)),BasicFE.Enc(MPKi,Gi(x))) 

•  Decryption  BFFE.Dec(SK^,  CT):  On  input  a  secret  key  SK^  and  a  ciphertext  CT  = 
(CTo,CTi),  output 

BasicFE.  DecSKi)  (CT  b) 

Correctness.  Correctness  is  straight-forward. 

Security.  We  prove  that  the  scheme  is  1-AD-SIM-secure.  The  simulator  BFFE.Sim  proceeds  as 
follows: 

•  If  the  adversary  makes  a  query  Cb  before  seeing  the  ciphertext,  the  simulator  learns  Cb(x ) 
and  then  simulates  the  ciphertext  as  follows: 

CT5  •*—  BasicFE.Enc(MPK{,,  Cb(x))  and  CTi_&  •*—  BasicFE.Sim(MPKi_ft,  0,  1^) 

Output  CT  :=  (CTo,CTi) 

•  If  the  adversary  requests  for  the  ciphertext  first,  then  the  simulator  simulates  the  ciphertext 
as  follows: 

CTj  <—  BasicFE.Sim(MPK/, 0, 1^),  for  i  =  0, 1 

Output  CT  :=  (CTo,CTi).  When  the  adversary  then  requests  for  a  secret  key  Cb,  the 
simulator  learns  MSK  =  (MSKo,  MSKi)  and  Cb,Cb(x )  and  outputs  as  secret  key 

SKb  <-  BasicFE.Sim(MSK;),  (Cb(x),  Cb),  l|x|) 

We  establish  security  via  a  series  of  Games. 

Game  0.  Normal  encryption. 

Game  1.  Roughly  speaking,  we  will  simulate  on  MPKo,CTo  and  follow  normal  encryption  on 
MPKi,  CTi.  More  precisely,  the  simulator  proceeds  as  follows: 

•  If  the  adversary  makes  a  secret  key  query  Cb  before  seeing  the  ciphertext,  proceed  as  follows: 

—  if  b  =  0,  use  the  normal  encryption  for  both  CTo  and  CTi. 

—  if  b  =  1,  follow  BFFE.Sim  (that  is,  generate  CTo  using  BasicFE.Sim). 

•  If  the  adversary  requests  for  the  ciphertext  first,  then  the  simulator  simulates  the  ciphertext 
as  follows: 

CTo  <—  BasicFE.Sim(MPKo,  0)  and  CTi  <—  BasicFE.Enc(MPKi,  C\(x)) 

Output  CT  :=  (CTo,CTi).  When  the  adversary  then  requests  for  a  secret  key  Cb,  the 
simulator  proceeds  as  follows: 
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—  if  b  =  0,  follow  BFFE.Sim  (that  is,  generate  SKo  using  BasicFE.Sim); 

—  if  b  =  1,  follow  normal  encryption  (that  is,  generate  SKi  using  BasicFE. Keygen). 

Game  2.  Output  of  the  simulator. 

It  is  easy  to  see  that  the  outputs  of  Games  0  and  1  are  computationally  indistinguishable  by 
1-AD-SI M  of  the  underlying  scheme.  The  same  applies  to  the  outputs  of  Games  1  and  2. 

4.3  One-Query  General  Functional  Encryption  from  Randomized  Encoding 

Sahai  and  Seyalioglu  [SS10]  proved  1-NA-SIM;  we  observe  the  same  “bootstrapping”  construction 
works  for  1-AD-SIM.  Let  C  be  an  arbitrary  family  of  poly-size  circuits.  We  construct  OMEQTE 
scheme  for  C  as  follows. 

Let  BJ-J-S  denote  the  brute- force  construction  defined  above.  In  a  high-level  the  idea  is  this: 
suppose  we  wish  to  construct  an  FE  scheme  for  a  polynomial-size  circuit  C  and  input  x.  Let  U (C,  x) 
denote  the  universal  circuit  that  output  C(x).  Let  U(C,x',R )  denote  a  randomized  encoding  of 
U(C,x )  where  for  every  x,R,  U{  ■  ,x\R)  has  small  locality.  Then,  assuming  C  has  length  A,  we 
can  write 

U(C,x-R)  =  (U1(C[l],x-,R),...,Ux(C[X\,x-,R)) 

where  Ui(  ■  ,  x;  R)  depends  only  on  C[i],  the  ith  bit  of  circuit  C.  For  each  i ,  we  can  now  use  BTTE 
scheme  for  a  family  of  two  circuits: 

Ui-.=  {Ui{ 0,  •;  -)Mh  •;  •)} 

•  Setup  FE.Setup(lK):  Run  the  brute-force  setup  algorithm  A  times  to  generate  independent 
master  public- key/secret-key  pairs 

(MPKj,  MSK,)  BFFE.Setup(lK)  for  Ut  and  i  =  1, . . . ,  A 

Output  (MPKj)^=1  as  the  master  public  key  and  (MSKj)^  as  the  master  secret  key. 

•  Key  Generation  FE.Keygen(MSK,  C):  On  input  the  master  secret  key  MSK  and  a  circuit 
CgC,  compute 

SKc,j  BFFE.Keygen(MSKj,  Ui(C[i\,  ■  ;  •  ))  fori  =  l,...,A 

Output  as  secret  key 

SKC  :=  ((SKc,i)ie[A]) 

•  Encryption  FE.Enc(MPK, x):  On  input  the  master  public  key  MPK  and  an  input  message 
lef,  choose  R  and  compute 

CTj  <-  BFFE.Enc(MPKj,  (x;  R))  for  *  =  1, . . . ,  A 

Output  (CTj)^=1  as  the  ciphertext. 

•  Decryption  FE.Dec(SKc,  CT):  On  input  a  secret  key  SKc  =  (SKc^^m)  and  a  ciphertext 
CT  =  (CTj)^=1,  do  the  following: 

1.  Compute  yi  <—  BFFE.Dec(MSKj,  CT,)  =  Ui(C[i\,x;  R)  for  i  =  1, . . . ,  A; 

2.  Run  the  decoder  to  get  y  <—  RE.Decode(yi, . . . ,  y\). 

Output  y. 
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Correctness.  Correctness  follows  directly  from  the  correctness  of  the  brute-force  FE  construction 
and  randomized  encodings. 

Security.  We  first  prove  that  ONSQJ-8  is  l-NA-SIM-secwe  (See  below  on  how  to  modify  the 
proof  to  show  1-AD-SIM-secMufy).  Recall  that  the  simulator  gets  as  input  the  following  values: 

1.  The  public  key:  (MPKj)*=1; 

2.  The  query  C  and  the  corresponding  secret  key  SKc  =  (SKc,y)^=1; 

3.  The  output  of  C:  C'(.x); 

On  the  very  high  level,  the  security  of  the  scheme  follows  from  the  fact  that  by  the  security  of  brute- 
force  construction  the  adversary  can  only  learn  y,  for  all  i  and  by  the  security  of  the  randomized 
encoding  the  adversary  can  only  learn  y  =  C{x). 

We  establish  security  via  a  series  of  Games.  Game  0  corresponds  to  the  real  experiment  and 
Game  A  +  1  corresponds  to  the  ideal  experiment  where  simulator  S  produced  the  ciphertext.  The 
goal  of  the  simulator  S  is  to  produce  a  ciphertext  that  is  indistinguishable  from  the  real  ciphertext. 
Let  BFFE.Sim  and  RE. Sim  be  the  brute-force  FE  and  randomized  encoding  simulators,  respectively. 

Game  0.  Real  encryption  experiment. 

Game  i  for  i  €  {1, . . . ,  A}.  In  Game  i,  i  ciphertexts  are  encrypted  properly  using  MPKj  and  A  —  i 
ciphertexts  are  simulated.  Formally,  for  all  1  <  j  <  i,  let 

CTj  <-  BFFE.Enc(MPKj,  (x;  R)) 


For  all  i  <  j  <  A,  let 

CTj  •<—  BFFE.Sim(MPKj,  (Ui(C[i\,x;  R),  Ui(C[i\,  •  ;  •  ),SKC)i)) 

Output  the  ciphertext 

CT  :=  (CT!,...,CTa) 

Game  A  +  1.  Same  as  Game  A,  except  the  randomized  encoding  is  now  produced  by  the  RE. Sim. 
Formally,  the  simulator  S  does  the  following. 

1.  Let 

{Ui{C[i],x-R))^=1  <-  RE.Sim(lK,  U,U(C,  x))) 

2.  For  all  i  G  [A],  let 

CTj  «-  BFFE.Sim(MPKj,  (Ui(C[i\,  x;  i?),  Ui(C[i],  •  ;  •  ),SKc>i)) 

3.  Output  the  ciphertext 

CT:=(CT1,...,CTa) 

Claim  4.0.1.  The  outputs  of  Game  0  and  Game  A  are  computationally  indistinguishable. 
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Proof.  The  only  different  between  Games  0  and  A  is  that  in  the  later  the  ciphertext  produced  by  the 
simulator.  If  there  is  a  distinguisher  between  the  Games,  then  by  we  can  distinguish  between  Games 
i  and  i  +  1  for  some  i,  hence  compromise  the  security  of  the  underlying  BTT8  construction.  □ 

Claim  4.0.2.  The  outputs  of  Game  A  and  Game  A  +  1  are  computationally  indistinguishable. 

Proof.  This  claim  follows  directly  from  the  security  of  the  randomized  encoding  simulator.  □ 

Therefore,  we  can  conclude  that  the  real  experiment  is  indistinguishable  from  the  ideal 
experiment. 

We  now  sketch  how  to  modify  the  above  proof  to  show  that  ONSQJ-8  is  1 -AD-SI M -secure. 
Construct  the  simulator  S  =  (S\ ,  S'2)  as  follows.  The  simulator  S\  is  the  same  as  in  the  non- 
adaptive  case,  except  it  passes  the  simulated  decomposable  randomized  encoding  U (C,  x ;  R )  as  a 
part  of  the  state  to  S'2.  Now,  assume  the  oracle  query  C  comes  after  the  challenge  ciphertext  (the 
other  case  is  trivial).  We  invoke  the  single  brute- force  simulator  BFFE.Sim  many  times  for  all  MSK,;. 
For  every  oracle  queries  Ui(C[i\,  •  ;  •  )  made  by  BFFE.Sim  reply  with  y*  c-  Ui(C[i\,  x;  R).  Finally, 
output  (SKc^jgm  as  the  secret  key  to  the  adversary. 

5  A  Construction  for  NCI  circuits 

In  this  section,  we  construct  a  functional  encryption  scheme  for  all  NCI  circuits  secure  against 
q  secret-key  queries,  starting  from  one  that  is  secure  against  a  single  secret-key  query.  Our 
construction  will  rely  on  any  semantically  secure  public- key  encryption  scheme. 

The  Class  of  Circuits.  We  construct  (/-bounded  FE  scheme  for  a  circuit  family  C  :=  NCI.  In 
particular,  we  consider  polynomial  representation  of  circuits  C  in  the  family.  The  input  message 
space  X  =  is  an  f-tuple  of  field  elements,  and  for  every  circuit  C  6  C,  C(-)  is  an  f-variate 
polynomial  over  F  of  total  degree  at  most  D.  The  complexity  of  our  construction  will  be  polynomial 
in  both  D  and  q.  where  q  is  the  number  of  secret  keys  the  adversary  is  allowed  to  see  before  he  gets 
the  challenge  ciphertext. 

5.1  Our  Construction 

Let  C  :=  NCI  be  a  circuit  family  with  circuits  of  degree  D  =  D(k)  in  its  input,  and  let  q  =  q(n)  be 
a  bound  on  the  number  of  secret  key  queries.  Our  scheme  is  associated  with  additional  parameters 
S  =  S(k),  N  =  N(k),  t  =  t(n)  and  v  =  v(k)  (for  an  instantiation  of  the  parameters,  see  Section  5.2). 

We  start  by  defining  a  new  family  Q  as  follows: 

GCA{x,Zl,...,Zs):=C{x)  +  YJZi  (1) 

ie  a 


where  A  C  [S]  and  Zi, . . . ,  Zs  &  F. 

Let  (OneQFE. Setup,  OneQFE. Keygen,  OneQFE.Enc,  OneQFE. Dec)  be  a  functional  encryption 
scheme  for  Q  secure  against  a  single  secret  key  query.  Our  (/-query  secure  encryption  scheme 
BVT£  =  (BdFE. Setup,  BdFE. Keygen,  BdFE.Enc,  BdFE.Dec)  for  C  works  as  follows: 
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•  Setup  BdFE.Setup(lK):  Run  the  one-query  setup  algorithm  N  times  to  generate  independent 
master  public-key /secret-key  pairs 

(MPKj,  MSKj)  <—  OneQFE.Setup(lK)  for  i  =  1, . . . ,  N 

Output  (MPK,;)^=1  as  the  master  public  key  and  (MSK,j)^1  as  the  master  secret  key. 

•  Key  Generation  BdFE.Keygen(MSK,  C ):  On  input  the  master  secret  key  MSK  and  a  circuit 
C  eC, 

1.  Choose  a  uniformly  random  set  T  C  [N]  of  size  tD  +  1; 

2.  Choose  a  uniformly  random  set  A  C  [S]  of  size  v; 

3.  Generate  the  secret  keys 

SKC',a,i  t—  OneQFE.Keygen(MSKj,  Gc, a)  for  every  i  G  T 

Output  as  secret  key  SKc  :=  (r,  A,  (SK^A.Oier)- 

•  Encryption  BdFE.Enc(MPK,  x):  On  input  the  master  public  key  MPK  =  (MPK,;)^1  and  an 
input  message  x  =  (x\, . . . ,  xg)  G  X: 

1.  For  i  =  1, 2, . . .  pick  a  random  degree  t  polynomial  //*(•)  whose  constant  term  is  xg. 

2.  For  i  =  1,2 ,S,  pick  a  random  degree  Dt  polynomial  £*(•)  whose  constant  term  is  0. 

3.  Run  the  one-query  encryption  algorithm  OneQFE.Enc  N  times  to  produce  ciphertexts 

CTj  OneQFE.Enc(MPKj,  . . . ,  Ci  (i), . . . ,  Cs(*)))  for  i  = 

Output  (CT,;)^1  as  the  ciphertext. 

•  Decryption  BdFE.Dec(SKc,  CT):  On  input  a  secret  key  SKc  =  (r,  A,  (SKc,A,j)ier)  and  a 
ciphertext  CT  =  (CT,;)^1,  do  the  following: 

1.  Compute  a  degree  Dt  polynomial  r/(-)  such  that  rj(i)  =  OneQFE.Dec(SKcjA,i,  CTj)  for 
all  i  G  r. 

2.  Output  ?/(0). 

5.1.1  Correctness 

We  show  that  the  scheme  above  is  correct.  By  correctness  of  the  underlying  single-query  FE,  we 
have  that  for  all  i  G  T, 

V(i)  = 

aG  A 

Since  |r|  >  Dt  +  1,  this  means  that  //  is  equal  to  the  degree  Dt  polynomial 

v(-)  =  C{n  i(-),  •  •  ■ ,  M'))  +  Co(0 

ae  A 

Hence,  rj( 0)  =  C(x i, . . . ,  xg)  =  C(x). 
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5.2  Setting  the  Parameters 

We  show  how  to  set  the  parameters  S  =  S(k),  N  =  N(n)  and  t  =  t(n).  These  parameters  govern 
the  choice  of  the  sets  T  and  A  during  the  key  generation  algorithm,  and  are  required  to  satisfy  the 
following  two  conditions: 

Small  Pairwise  Intersections.  Let  L  i ,  .. . . .  Tq  C  [N]  be  the  (uniformly  random)  sets  chosen 
for  each  of  the  q  secret  key  queries  of  the  adversary.  Whenever  two  of  these  sets  intersect,  the 
adversary  obtains  two  distinct  secret  keys  for  the  underlying  one-query  secure  FE  scheme.  More 
precisely,  for  every  j  £  Ti  n  T2,  the  adversary  obtains  two  secret  keys  under  the  public  key  MPKj. 
Since  security  of  MPKy  is  only  guaranteed  under  a  single  adversarial  query,  we  have  to  contend 
with  the  possibility  that  in  this  event,  the  adversary  can  potentially  completely  break  the  security 
of  the  public  key  MPK^.  In  particular,  for  every  such  j,  the  adversary  potentially  learns  a  share  of 
the  encrypted  input  message  x. 

Thus,  to  guarantee  security,  we  require  that  the  union  of  the  pairwise  intersections  of  Ti, . . . ,  Fq 

is  small.  In  particular,  we  require  that  U)/j(lA  fl  Tj)  <  t.  This  ensures  that  the  adversary  learns 

at  most  t  shares  of  the  input  message  x,  which  together  reveal  no  information  about  x. 

A  simple  probabilistic  argument  shows  that  this  is  true  (with  probability  1  —  ))  as  long 

as  q 2  ■  ( Dt/N )2  •  N  <  t/ 10.  In  other  words,  we  will  set  i(re)  =  0(g2K)  and  N(n)  =  Q(D2q2t)  which 
satisfies  the  above  constraint  with  probability  1  —  For  details,  we  refer  an  interested  reader 

to  Appendix  B.l. 

Cover- Freeness.  Let  Ai, . . . ,  Aq  C  [S']  be  the  (uniformly  random)  sets  of  size  v  chosen  for  each 
of  the  q  secret  key  queries  of  the  adversary.  The  security  proof  relies  on  the  condition  that  the 
polynomials  Y^aeAj  Ca(')  are  uniformly  random  and  independent  which  is  true  if  the  collection  of 

sets  Ai, . . . ,  Ag  is  cover-free.  That  is,  for  every  i  £  [q]:  A*  \  ^  (J  Aj^  7 -  </>• 

A  simple  probabilistic  argument  shows  that  this  is  true  (with  probability  1  —  2~^q2v2^s^)  as 
long  as  q2v2 / S  <  u/100.  In  other  words,  we  will  set  v(k)  =  @(k)  and  S(k)  =  Q(vq2)  which  satisfies 
the  above  constraint  with  probability  1  —  2~^K\  For  details,  we  refer  an  interested  reader  to 
Appendix  B.2. 

We  remark  that  in  our  construction,  multiple  secret  key  queries  for  the  same  C  £  C  result  in 
different  secret  keys  SKc,  essentially  because  of  the  different  random  choices  of  the  sets  A  and  T. 
Using  a  pseudorandom  function  (applied  to  C),  it  is  possible  to  ensure  that  multiple  secret  key 
queries  for  the  same  C  result  in  the  same  answer. 

5.3  Proof  of  Security 

Theorem  5.1.  Let  OMEQTE  be  a  1 -AD -SIM -secure  (resp.  1-NA-SIM  -secure)  functional  encryp¬ 
tion  scheme  for  any  family  of  poly-size  circuits.  Then,  for  any  circuit  family  C  computable  in  NCI 
the  BVTE  scheme  described  above  is  g-AD-SIM -secure  (resp.  g-NA-SIM-securej. 

We  prove  that  the  construction  BViFE  given  in  Section  5  is  g-AD-SIM  -secure  if  we  start  out  with 
a  1-AD-SI M-secure  scheme.  This  subsumes  the  non-adaptive  variant  of  the  proof.  By  Theorem  A.l, 
this  implies  that  BViFE  is  g-NA-SIM -secure  for  many  messages.  However,  it  is  only  single-message 
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g-AD-SIM  -secure  (see  Figure  1  for  relations). 

We  establish  security  by  first  defining  the  simulator  and  then  arguing  that  its  output  is 
indistinguishable  via  a  series  of  Games.  For  readability,  we  adopt  the  following  convention:  we 
use  i  to  index  over  values  in  [N],  and  we  use  j  to  index  over  the  queries. 

Overview.  Suppose  the  adversary  receives  the  challenge  ciphertext  after  seeing  q*  <  q  queries. 
The  simulator  has  to  simulate  the  ciphertext  and  answer  the  remaining  secret  key  queries.  We  may 
assume  it  already  knows  all  of  Ti, . . . ,  Tq,  Ai, . . . ,  Aq.  This  is  because: 

•  for  j  <  q*,  the  simulator  gets  Tj,  A  j  from  SKj; 

•  for  j  >  q*,  the  simulator  gets  to  program  Tj,  A  j  and  could  pick  all  these  quantities  in  advance. 

We  first  describe  our  strategy  for  simulating  the  ciphertext  CT  =  (CTi, . . . ,  CT ^ )  and  the  secret 
keys.  Let  X  denote 

U  <rJ n  M 

o+y 

We  will  consider  two  cases: 

•  i  £  X:  Here,  we  may  issue  more  than  one  secret  key  corresponding  to  (MPK,;,  MSKj);  therefore, 
we  can  no  longer  rely  on  the  security  of  the  underlying  one-query  FE  scheme.  Instead,  we 
rely  on  the  statistical  security  of  the  underlying  MPC  protocol  and  the  fact  that  |X|  <  t. 
Specifically,  we  can  simulate  CT,;  and  the  secret  keys  honestly. 

•  i  £  X:  Here,  we  issue  at  most  one  secret  key  corresponding  to  (MPK;,  MSK,);  this  is  because  at 
most  one  of  the  sets  Ti, . . . ,  Fq  contains  i.  Suppose  i  £  Tj.  We  may  now  appeal  to  the  security 
of  the  underlying  one-query  FE  scheme.  Specifically,  we  simulate  CT;  computationally  using 
the  simulator  for  the  underlying  one-query  FE  scheme.  If  j  <  q*,  then  we  do  not  need  to 
program  secret  keys  at  all.  If  j  >  q* ,  upon  receiving  query  Cj ,  we  program  the  corresponding 
keys  SK Cj,Aj,i  using  the  one-query  simulator. 

We  formally  define  the  simulator  BdFE.Sim  as  follows: 

Simulating  the  ciphertext  after  query  q* .  Here,  the  simulator  knows  Ti, . . . ,  Ai, . . . ,  Aq ; 
the  queries  C\, ,  Cq*,  the  outputs  C\  (x'), . . . ,  Cq*(x),  and  the  secret  keys  SKi, . . . ,  SKq*. 

1.  Uniformly  and  independently  sample  £  random  degree  t  polynomials  fi\, . . . ,  m  whose  constant 
terms  are  all  0. 

2.  We  sample  the  polynomials  Cl ,  •  •  • ,  Cs  as  follows:  let  Ao  :=  0.  For  j  =  1,  2, . . . ,  q: 

(a)  by  the  cover-free  property,  fix  some  a*  €  A  j  \  (Ao  U  •  •  •  U  Aj_i); 

(b)  for  all  a  £  (Aj  \  (Ao  U  •  •  •  U  Aj_i))  \  {a*},  set  (a  to  be  a  uniformly  random  degree  Dt 
polynomial  whose  constant  term  is  0; 

(c)  if  j  <  q*,  pick  a  random  degree  Dt  polynomial  rjj(-)  whose  constant  term  is  Cj{x );  if 

j  >  0*  i  random  values  for  r]j(i)  for  all  i  £  X; 
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(d)  the  evaluation  of  £a*  on  the  points  in  X  is  defined  by  the  relation: 

=  Co(-) 

aGAj 

Finally,  for  all  a  ^  (Ai  U  •  •  •  U  Ag),  set  Ca  to  be  a  uniformly  random  degree  Dt  polynomial 
whose  constant  term  is  0. 

3.  For  each  i  E  X.  run  the  one-query  encryption  algorithm  OneQFE.Enc  to  produce  ciphertexts 
CTj  <r-  OneQFE.Enc(MPK;:,  (m  (i), . . . ,  Ci(i),  ■  ■  •  •  Cs(*))) 


4.  For  each  i  ^  X,  run  the  one-query  simulator  OneQFE.Sim  to  produce  ciphertexts  CTj  as 
follows:  at  most  one  of  Ti, . . . ,  Tq  contains  i. 

•  If  such  a  set  exists,  let  j  denote  the  unique  set  Tj  that  contains  i  (i.e.  i  E  Fj).  If  j  <  q*, 
compute 

CTj  E-  OneQFE.Sim(MPKi,(?7J(?;),GcJiAJ,SKC'J,A,,j)) 

where  SKCj_Aj.?;  is  provided  as  part  of  SKp 

•  If  no  such  set  exist  or  j  >  q* ,  then  compute 


CTj  ^  OneQFE.Sim  (MPKj,  0) 


Output  (CT,)^!  as  the  ciphertext. 

Simulating  secret  key  SK j,  for  j  >  q*.  Here,  the  simulator  gets  MSK  =  (MSKi, . . . ,  MSKjv) 

and  Cj(x),Cj  and  needs  to  simulate  (SKq^A^Oieiy 


1.  For  each  i  E  Tj  01,  pick  SKf  •  .A:./  OneQFE.Keygen(MSKj,  Gc^a,)- 

2.  For  each  i  E  Tj  \  X  (i.e,  Tj  is  the  only  set  that  contains  i), 

(a)  pick  a  random  degree  Dt  polynomial  rjj(-)  whose  constant  term  is  Cj(x )  and  subject  to 
the  constraints  on  the  values  in  X  chosen  earlier; 

(b)  run  OneQFE.Sim(MSK,:,  (■ rjj(i ),  Gc^.a,))  to  obtain  SKc:i.Ani  so  that  CTj  decrypts  to  rjj(i). 
Output  {SKc^Aj^ieVj- 

We  establish  security  via  a  series  of  Games.  The  simulator  is  described  above. 

Game  1.  We  modify  (j, . . . ,  £s,  rji, . . . , rjq  to  be  the  same  as  that  in  the  simulator. 

Game  2.  We  simulate  (CTj)j^j  and  SK j,j  >  q*  as  in  the  simulator. 
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Game  3.  The  output  of  the  simulator.  That  is,  we  modify  how  polynomials  are 

sampled. 

Claim  5.1.1.  The  outputs  of  Game  0  and  Game  1  are  identically  distributed. 

Proof.  In  the  normal  encryption,  fa*  is  chosen  at  random  and  r/y  ( • )  is  defined  by  the  relation.  From 
Step  2  in  the  ciphertext  simulation  and  Step  2  in  the  secret  keys  simulation  (for  j  >  q *)  BdFE.Sim, 
essentially,  chooses  r/j  ( • )  at  random  which  defines  fa*-  It  is  easy  to  see  that  reversing  the  order  of 
how  the  polynomials  are  chosen  produces  the  same  distribution.  □ 

Claim  5.1.2.  The  outputs  of  Game  1  and  Game  2  are  computationally  indistinguishable. 

Proof.  Informally,  this  follows  from  the  security  of  the  underlying  one-query  FE  scheme  and  the 
fact  that  for  all  i  X,  we  run  OneQFE.Keygen(MSKj,  •)  at  most  once. 

By  a  hybrid  argument,  it  suffices  to  show  that  for  all  i  X,  the  distribution  of  CTj  in  Game  1  and 
2  are  computationally  indistinguishable  (given  MPKj  and  SKi, . . . ,  SKg).  Indeed,  fix  such  a  i  ^  I 
and  a  corresponding  unique  j  such  that  i  £  Fj  (the  case  no  such  j  exists  is  similar). 

First,  observe  that  amongst  SKi, . . . ,  SKg,  only  SKj  contains  a  key  SKc..,a  ,i  that  is  generated  using 
either  SKc...a  .,i  OneQFE.Keygen(MSKj,  Gc^Aj)  (for  the  non-adaptive  queries)  or  SKcy  A,,?; 
OneQFE.Sim(MSKj,  (r}j(i),GcjtAj))  (for  the  adaptive  queries). 

Case  1:  Assume  j  <  q* .  Observe  that 

rjj (*)  =  Cj(fH(i),...,ne(i))  +  Ca(*) 

aeAj 

=  GCj,Aj  (Ml  (*)>•  •■>«(*).  Cl  (*),•••  ,Cs(*))  (2) 

which  means  that  in  both  Games  1  and  2,  CTj  decrypts  to  the  same  value.  Now,  note  that  in  Game 
1,  CTj  is  generated  using 


CTj  £-  OneQFE.Enc(MPKj,  . . . ,  w(*),Ci(*)>  •  •  •  ,Cs(*))) 


By  the  security  of  the  underlying  FE  scheme,  this  is  computationally  indistinguishable  from 

OneQFE.Sim  (MPKj,  (GCj, ,A3(w(i),  •  ■  • ,  wW.  CiW>  •  •  • ,  Cs(*))>  GCjAv  SKc^A^i)) 

By  the  Equation  2,  this  is  the  same  as 

0 neQ F E. Si m  ( M  P Kj ,  {rjj  (i) ,  GCj , , a,  ,  S KCj , ,i) ) 

which  is  the  distribution  of  CTj  in  Game  2. 


Case  2:  Assume  j  >  q* .  Then: 

•  CTj  •(— OneQFE.Sim  (MPKj,  0)  and 

•  SK CjAjd  ^  OneQFE.Sim(MSKj,  (r)j(i),  Gc^Aj)) 
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Similarly,  by  the  Equation  2  and  by  the  security  of  the  underlying  one-query  FE  scheme  this 
simulated  pair  of  ciphertext  and  secret  key  is  indistinguishable  from  the  real.  □ 

Claim  5.1.3.  The  outputs  of  Game  2  and  Game  3  are  identically  distributed. 

Proof.  In  Game  2,  the  polynomials  /zi, . . . ,  m  are  chosen  with  constant  terms  x\ , . . .  ,xi,  respec¬ 
tively.  In  Game  3,  these  polynomials  are  now  chosen  with  0  constant  terms.  This  only  affects  the 
distribution  of  /xi , . . . ,  fie  themselves  and  polynomials  Cl,  ■  ■  • ,  C S-  Moreover,  only  the  evaluations  of 
these  polynomials  on  the  points  in  X  affect  the  outputs  of  the  games.  Now  observe  that: 

•  The  distribution  of  the  values  {/xi  (x), . . .  ,fie(i)}i&x  are  identical  in  both  Game  2  and  3.  This 
is  because  in  both  games,  we  choose  these  polynomials  to  be  random  degree  t  polynomials 
(with  different  constraints  in  the  constant  term),  so  their  evaluation  on  the  points  in  X  are 
identically  distributed,  since  |X|  <  t. 

•  The  values  {Ci(*),  ■  ■  ■  ,  CsWIiex  depend  only  on  the  values  {/xi (z), . . . ,  fj.i(i)}i&x- 

The  claim  follows  readily  from  combining  these  observations.  □ 

6  A  Bootstrapping  Theorem  for  Functional  Encryption 

In  this  section,  we  show  a  “bootstrapping- type”  theorem  for  functional  encryption  (FE).  In  a 
nutshell,  this  shows  how  to  take  a  (/-query  functional  encryption  scheme  for  “bounded  degree” 
circuits,  and  transform  them  into  a  g-query  functional  encryption  scheme  for  arbitrary  polynomial- 
size  circuits.  The  transformation  relies  on  the  existence  of  a  pseudorandom  generator  (PRG)  that 
stretches  the  seed  by  a  constant  factor,  and  which  can  be  computed  by  circuits  of  degree  poly(/x). 
This  is  a  relatively  mild  assumption,  and  in  particular,  is  implied  by  most  concrete  intractability 
assumptions  commonly  used  in  cryptography,  such  as  ones  related  to  factoring,  discrete  logarithm, 
or  lattice  problems. 

In  a  high-level  the  idea  is  this:  Suppose  we  wish  to  construct  an  FE  scheme  for  a  family  C  of 
polynomial-size  circuit.  Let  C  £  C  and  x  be  some  input.  Then,  let  C(x]R)  denote  a  randomized 
encoding  of  C  that  is  computable  by  a  constant-depth  circuit  with  respect  to  the  inputs  x  and  R. 
By  [AIK06,  Theorem  4.14],  we  know  that  assuming  the  existence  of  a  pseudo-random  generator  in 
©L/poly,  such  a  randomized  encoding  exists  for  every  polynomial-size  circuit  C . 

Consider  a  new  family  of  circuits  Q  defined  as  follows: 

Gc,a{x,  Ri , ,  Rs )  :=  c(x\  Ra 

'  aG  A 

Observe  the  following: 

•  Since  for  any  C,  C(  ■  ;  ■  )  is  computable  by  a  constant-depth  circuit,  then  Gc, a(  ■  ;  ■  )  is 
computable  by  a  constant-degree  polynomial.  Using  the  result  from  the  previous  scheme,  we 
have  a  g-AD-SIM-secure  FE  scheme  for  G. 

•  Given  a  functional  encryption  scheme  ford  Q,  it  is  easy  to  construct  one  for  C.  Decryption 
works  by  first  recovering  the  output  of  Gc, A  and  then  applying  the  decoder  for  the  randomized 
encoding. 
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•  Informally,  1-AD-SIM-security  follows  from  the  fact  that  the  ciphertext  together  with  the 
secret  key  reveals  only  the  output  of  C(x),  which  in  turn  reveals  no  more  information  than 
C{x).  More  formally,  given  C(x),  we  can  simulate  C(x)  and  then  the  ciphertext,  using  first 
the  simulator  for  the  randomized  encoding  and  then  that  for  the  underlying  FE  scheme. 

•  The  role  of  the  subset  A  is  similar  to  that  in  the  preceding  construction  —  to  “rerandomize” 
the  randomness  used  in  G,  which  is  necessary  to  achieve  g-AD-SIM-security. 

Functional  Encryption  Scheme  for  C.  Let  (BdFE. Setup,  BdFE. Keygen,  BdFE.Enc,  BdFE. Dec) 
be  a  (/-AD-SI M-secure  scheme  for  Q,  with  a  simulator  BdFE. Sim.  We  construct  an  encryption  scheme 
(FE. Setup,  FE. Keygen,  FE.Enc,  FE.Dec)  for  C  works  as  follows  (that  takes  parameters  S,v  as  before). 

•  Setup  FE.Setup(lK):  Run  the  bounded  FE  setup  algorithm  to  generate  a  master  public- 
key/secret-key  pair  (MPK,  MSK)  4-  BdFE.Setup(lK). 

•  Key  Generation  FE.Keygen(MSK,  C):  On  input  the  master  secret  key  MSK  and  a  circuit 
C  G  C,  do  the  following: 

1.  Choose  a  uniformly  random  set  A  C  [S']  of  size  v; 

2.  Generate  the  secret  key  SK^a  <—  BdFE.Keygen(MSK,  Gc,a)- 

Output  as  secret  key  SKc  :=  (A,  SKc;A). 

•  Encryption  FE.Enc(MPK, x):  On  input  the  master  public  key  MPK  and  an  input  message 
x  G  X ,  do  the  following: 

1.  For  i  =  1,  2, . . . ,  S,  choose  uniformly  random  R  {0,  l}r. 

2.  Run  the  bounded  degree  encryption  algorithm  BdFE.Enc  to  produce  a  ciphertext 

CT  •(—  BdFE.Enc(MPK,  (x,  Rly, . . ,  Rs)) 


Output  CT  as  the  ciphertext. 

•  Decryption  FE.Dec(SKc,  CT):  On  input  a  secret  key  SKc  and  a  ciphertext  CT, 

—  Run  the  bounded  FE  decryption  algorithm  to  get  y  <—  BdFE.Dec(SKciA,  CT). 

—  Run  the  randomized  encoding  decoder  on  y  to  get  the  output  y  RE.Decode(y). 

6.0.1  Correctness 

We  first  show  correctness  of  the  scheme  J-£.  Given  a  secret  key  SKc  and  a  ciphertext  CT  «— 
FE.Enc(MPK, x),  the  decryption  algorithm  computes 

y  =  BdFE.Dec(SKaA,  CT)  =  Gc,a(x,  Ru...,Rs)  =  C{x\  ©(pA  Ra)) 

Of  course,  running  RE. Decode  on  this  should  return  y  =  C(x),  by  the  correctness  of  the  randomized 
encoding  scheme. 
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Bootstrapping  for  Unbounded  Queries.  Although  the  transformation  above  assumes  the 
knowledge  of  q  (the  bound  on  the  number  of  secret  key  queries  of  the  adversary) ,  we  can  generalize 
it  to  work  for  unbounded  queries  as  follows.  Essentially,  the  idea  is  to  generate  fresh  (computational) 
randomness  for  each  randomized  encoding  using  a  pseudo-random  function. 

In  particular,  let  {prfs}se{o,i}K  be  a  circuit  family  of  weak  pseudo-random  functions.  Consider 
a  new  circuit  family  C  that  works  in  the  following  way: 

GC,r(x,S))  :=c(x]prfs(R)') 

Then,  essentially  the  same  construction  as  above  works  as  a  way  to  bootstrap  an  FE  scheme 
for  arbitrary  circuits  from  FE  schemes  for  circuits  that  can  compute  the  weak  PRF  followed  by 
the  randomized  encoding.  Assuming  the  existence  of  weak  PRFs  and  PRGs  that  can  be  computed 
by  circuits  of  degree  poly (ac) ,  we  then  obtain  functional  encryption  schemes  for  arbitrary  circuits. 
Note,  that  by  [AGVW12]  it  is  impossible  to  achieve  functional  encryption  for  PRFs  under  NA-SIM- 
security  for  unbounded  queries.  However,  constructions  secure  under  a  weaker  security  definition 
(for  example,  indistinguishability)  are  still  open. 

6.1  Proof  of  Security 

Theorem  6.1.  Let  BT>J-£  be  a  g-AD-SIM -secure  (resp.  g-NA-SIM-secztre,)  functional  encryption 
scheme  for  any  family  of  circuits  computable  in  NCI.  Then,  for  any  family  C  of  polynomial- size 
circuits  the  J~£  scheme  described  above  is  g-AD-SIM -secure  (resp.  g-NA-SIM-secwre,). 

We  prove  that  the  construction  T£  given  in  Section  6  is  g-AD-SIM-secwe  if  we  start  out  with 
a  g-AD-SIM-secure  scheme.  This  subsumes  the  non-adaptive  variant  of  the  proof. 

Proof  overview.  Suppose  the  adversary  sees  q*  queries  before  seeing  the  ciphertext.  The 
simulator  has  to  simulate  the  ciphertext  and  answer  the  remaining  secret  key  queries.  We  may 
again  assume  that  the  simulator  knows  all  of  Ti, . . . ,  rg,  Ai, . . . ,  Aq. 

Simulating  the  ciphertext.  The  simulator  gets  {Cj(x),Cj,SKcj}je[q*]  and  outputs: 

CT^BdFE.Sim(MPK,{RE.Sim(Ci(x)),GCjA,SKc.A.}.e[?1) 

with  fresh  independent  randomness  for  each  of  the  q*  invocations  of  RE.Sim. 

Simulating  secret  key  SK<7  ,  for  j  >  q*.  Here,  the  simulator  gets  MSK  and  Cj(x),Cj  and 
needs  to  simulate  SKq  :=  (Aj,  SK^.Aj  )•  It  proceeds  as  follows: 

1.  Picks  yj  RE.Sim(Cj(x)). 

2.  Runs  BdFE.Sim(MSK,  ( yj,Gcj.Aj ))  to  obtain  SKc^.a,  so  that  CT  decrypts  to  yj. 

Output  SKCj.  =  (Aj,  SKc^Aj). 

Details.  We  establish  security  via  a  series  of  Games,  where  the  last  Game  corresponds  to  the 
simulator  described  above. 
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Game  0.  Normal  encryption. 


Game  1.  We  modify  the  distribution  of  the  ciphertext  to  use  BdFE.Sim  as  in  the  static  case  for 
both  the  ciphertext  and  the  secret-key  queries  after  the  adversary  sees  the  ciphertext.  That  is, 

CT  <-  BdFE.Sim  (mPK,  {GCj, a,  (*;  Ri,  •  •  • ,  RS),  GCjAj ,  SKCj  Aj  }je[q.]) 

Moreover,  for  j  >  q* ,  it 

1.  Picks  yj  <-  Gc.iA:i  (x;  Ri,...,  Rs). 

2.  Runs  BdFE.Sim(MSK,  (■ yj,GcjAj ))  to  obtain  SK^a  .  so  that  CT  decrypts  to  yj. 

Output  SKC;  =  (Aj,SKcjAj). 

Game  2.  We  replace  {  ®ctgAj  Ra}j&[q]  with  {  R'-  }jg[g],  where  for  each  j : 

GcjAj(x;Ri,...,Rs)  ■=  G(x;(£)aeA  Ra) 

Game  3.  The  output  of  the  simulator  (that  is,  switch  to  using  RE. Sim). 

Claim  6.1.1.  The  outputs  of  Game  0  and  Game  1  are  computationally  indistinguishable. 

Proof.  This  follows  readily  from  q-AD-SIM-security  of  the  underlying  FE  scheme.  □ 

Claim  6.1.2.  The  outputs  of  Game  1  and  Game  2  are  identically  distributed. 

Proof.  By  cover- freeness  of  Ai, . . . ,  Aq,  we  have  that 

( Ra\  and  {  R'j  } 
l^aeA,  Vje[q]  l  J  fje[q] 

are  identically  distributed.  □ 

Claim  6.1.3.  The  outputs  of  Game  2  and  Game  3  are  computationally  indistinguishable. 

Proof.  This  follows  readily  from  a  hybrid  argument  and  the  security  of  the  randomized  encoding 
scheme,  which  says  that  for  each  j  =  1 , ...  ,q: 

Cj(x;Rj)  and  RE.Sim(Cj(x)) 

are  computationally  indistinguishable.  □ 
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7  Yet  Another  Bootstrapping  Theorem  Using  FHE 


We  show  a  bootstrapping  theorem  that  transforms  a  g-query  FE  scheme  supporting  NCI  circuits 
into  a  g-query  FE  scheme  for  arbitrary  polynomial-size  circuits  using,  in  addition,  a  fully 
homomorphic  encryption  scheme  [Gen09,  BV11],  Intuitively,  the  construction  can  be  viewed  as 
follows:  we  reduce  functional  encryption  for  a  circuit  C  to  one  for  the  decryption  algorithm  for  a 
fully  homomorphic  encryption  scheme  computable  in  NCI.  Putting  this  together  with  the  g-query, 

NCI  ciruit  scheme  from  Section  5  gives  us  Theorem  7.1. 

First,  we  need  a  generalization  of  the  construction  for  NCI  circuits  from  Section  5.  Assume 
that  the  message  is  split  into  a  public  part  and  a  secret  part.  Then,  the  key  observation  is  that  the 
construction  from  Section  5  works  for  any  circuit  C  which  is  computable  in  NCI  in  the  variables 
of  the  secret  part.  The  rationale  for  this  is  the  same  as  that  used  to  obtain  a  predicate  encryption 
with  public  index  from  the  scheme  in  Section  5. 

We  show  the  following  theorem: 

Theorem  7.1.  Let  BT>F£  be  a  q-query,  FE  scheme  which  works  for  any  NCI  circuit,  and  let 
FILE  be  a  semantically  secure  fully  homomorphic  encryption  scheme  whose  decryption  algorithm 
FHE. Dec(SK,  ct)  can  be  implemented  by  an  NCI  circuit  in  the  secret  key.  Then,  for  any  family  of 
poly-size  circuits  C  there  exists  a  q-query  FE  scheme  FE  =  (FE. Setup,  FE. Keygen,  FE.Enc,  FE.Dec). 

Furthermore,  ifBVFE  is  g-NA-SIM -secure  (resp.  g-AD-SIM- secure),  then  so  is  FE. 

Any  of  the  recent  fully  homomorphic  encryption  schemes  have  decryption  algorithms  com¬ 
putable  in  NCI.  Putting  these  together,  we  get  g-bounded  FE  schemes  under  the  “learning  with 
errors”  and  the  “ring  learning  with  errors”  assumptions  (together  with  certain  circular  security 
assumptions)  [BV11], 

Let  C  be  an  arbitrary  polynomial-size  circuit  family.  Our  construction  uses  the  following 
components: 

•  An  Inner  Encryption  Scheme:  Let  FHE  =  (FHE. Keygen,  FHE. Enc,  FHE. Eval,  FHE. Dec) 
be  a  fully  homomorphic  encryption  scheme  where  the  decryption  algorithm  FHE. Dec  can  be 
implemented  by  an  NCI  circuit  in  the  secret  key. 

•  An  Outer  Encryption  Scheme:  Let  BVFE  =  (BdFE. Setup,  BdFE. Keygen,  BdFE.Enc,  BdFE.Dec) 

be  a  g-query  functional  encryption  scheme  for  the  family  Q  that  is  computable  by  NCI  circuits 
in  their  secret  input  defined  as  follows: 

Gc(ct,  SK)  :=  [ct,  FHE.Dec(SK,  FHE.Eva^C,  ct))] 


Note  that  although  Q  has  circuits  that  are  at  least  as  large  as  those  for  C,  all  we  are  interested 
in  is  its  degree  in  the  secret  input,  namely  SK. 


Our  g-query  secure  encryption  scheme  (FE. Setup,  FE. Keygen,  FE.Enc,  FE.Dec)  for  C  works  as  follows. 


•  Setup  FE.Setup(lK): 

key /secret-key  pair: 


Run  the  bounded  FE  setup  algorithm  to  generate  a  master  public- 

(MPK,  MSK)  <-  BdFE.Setup(lK) 
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•  Key  Generation  FE.Keygen(MSK,  C):  On  input  the  master  secret  key  MSK  and  a  circuit 
C  €  C,  run  the  bounded  FE  key  generation  algorithm  to  generate  a  secret  key 

SKC  <-  BdFE.Keygen(MSK,  Gc) 

for  the  circuit  Gc- 

•  Encryption  FE.Enc(MPK, x):  On  input  the  master  public  key  MPK  and  an  input  message 
x  £  X: 

1.  Choose  a  uniformly  random  public- key /secret-key  pair  for  the  fully  homomorphic 
encryption  scheme  J-TLE  by  running 

(PK,SK)  <-  FHE.Keygen(lK) 

2.  Encrypt  the  input  message  x  using  the  FHE  encryption  algorithm 

ct  <—  FFIE.Enc(PK, x) 

3.  Run  the  bounded  FE  encryption  algorithm  to  encrypt  the  ciphertext  ct  together  with 
the  fully  homomorphic  secret  key  SK: 

CT  4-  BdFE.Enc(MPK,  ( ct ,  SK)) 

Output  CT  as  the  ciphertext. 

•  Decryption  FE.Dec(SKc,  CT):  On  input  a  secret  key  SKc>  and  a  ciphertext  CT,  run  the 
bounded  FE  decryption  algorithm  to  get  [ct,y\  •(—  BdFE.Dec(SKc,  CT),  and  output  [ct,y\. 

7.0.1  Correctness  and  Security 

We  first  show  correctness  of  the  scheme  J-S.  Given  a  secret  key  SKc  and  a  ciphertext  CT  •(— 
FE.Enc(MPK,  x),  the  decryption  algorithm  computes 

[< ct,y }  =  BdFE.Dec(SKc,  CT) 

=  BdFE.Dec(SKe;,  BdFE.Enc(MPK,  (ct,  SK))) 

(where  ct  <—  FFIE.Enc(PK,  x)) 

=  Gc(ct,  SK) 

=  [ct,  FHE.Dec(SK,  FHE.Eval(C,  ct))} 

=  [ct,  C(x)\ 

We  establish  security  via  a  series  of  Games.  The  simulator  is  described  in  Game  2. 

Game  0.  Normal  encryption. 

Game  1.  Run  the  g-query  simulator  on  input  ([ct  FFIE.Enc(PK,  x),  Ci(x)\,  Gci,  SK*)”=1,  where 
n  <  q  is  the  number  of  oracle  query  calls  made  to  BdFE. Keygen. 
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Game  2.  Run  the  g-query  simulator  on  input  ([cf  <—  FHE.Enc(PK,  0),  Ci(x)],  Gc^  SKj)”=1,  where 
n  <  q  is  the  number  of  oracle  query  calls  made  to  BdFE. Keygen. 
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A  Relations  between  Definitions  of  Functional  Encryption 

In  this  section,  we  first  describe  simulation-based  and  indistinguishability-based  definitions  for 
many  input  messages  functional  encryption,  largely  based  on  the  recent  works  of  Boneh,  Sahai  and 
Waters  [BSW11]  and  O’Neill  [O’NIO].  We  then  go  on  to  show  relations  between  various  flavors  of 
these  definitions. 

A.l  A  Simulation-based  Definition 

Definition  A.l  (NA-SIM-  and  AD-SIM-  Security).  Let  EE  be  a  functional  encryption  scheme  for 
a  circuit  family  C  =  {CK  :  AK  — >  34 } KeN ■  For  every  p.p.t.  adversary  A  =  ( Ai,  A2 )  and  a  p.p.t. 
simulator  S  =  ( S±,S2 ),  consider  the  following  two  experiments: 


1:  (MPK,  MSK)  <—  FE.Setup(lK) 

2:  (si ,...,xe,st)  ^E-Keygen(MSK’'}(MPK) 


3: 

CT*  <-  FE.Enc(MPK, xf) 

4 

a  ^  A^(MSK,  )(MPK,CTi,. 

•  ,C  Te,st) 

5:  Output  (a,x  1, . . . ,  xe) 


1:  (MPK,  MSK)  <-  FE.Setup(lK) 

2.-  (si ,...,xe,st)  ^AEE-Keygen(MSK’'}(MPK) 

►  Let  (Ci, . . . ,  Cq)  be  A\ ’s  oracle  queries 

►  Let  SK,;  be  the  oracle  reply  to  Ci 


►  Let  V  :=  [ytj  =  Ci(xj),  Ci,  SK*} . 


(CT1; . . . ,  CD,  st')  -e-  5i(MPK,  V,  1^) 

a  ^  Af  (MSK’s*'’'}(MPK,  CTi,  . . . ,  CT£,  6 

t) 

Output  (a,x  1, . . . ,  xe) 

We  distinguish  between  two  cases  of  the  above  experiment: 
1.  The  adaptive  case,  where: 

•  the  oracle  C(MSK,  •)  =  FE.Keygen(MSK,  •)  and 
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•  the  oracle  0'(MSK,  st',  •)  is  the  second  stage  of  the  simulator,  namely  ^(MSK,  st',  ■), 
where  UX(C )  =  C(x)  for  any  C  G  C. 

The  simulator  algorithm  S2  is  stateful  in  that  after  each  invocation,  it  updates  the  state  st' 
which  is  carried  over  to  its  next  invocation.  We  call  a  simulator  algorithm  S  =  (Si,  £2) 
admissible  if,  on  each  input  C ,  S2  makes  just  a  single  query  to  its  oracle  Ux{-)  on  C  itself. 

The  functional  encryption  scheme  TE  is  then  said  to  be  (q,  many )-simulation-secure  for  many 
messages  against  adaptive  adversaries  ((y,  many)-AD-SIM-secure,  for  short)  if  there  is  an 
admissible  p.p.t.  simulator  S  =  (Si,  £2)  such  that  for  every  polynomial  function  £  =  £(n) 
and  for  every  p.p.t.  adversary  A  =  {A\,  A2)  that  makes  at  most  q  queries,  the  following  two 
distributions  are  computationally  indistinguishable: 

(exp«U(i“)}  «  (exp““Is(i“)) 

l  )  kSN  l  J  k€N 

In  the  special  case  where  £(k)  =  l,  we  will  call  the  scheme  (q,  one)-AD-SIM-secure. 

2.  The  non-adaptive  case,  where  the  oracles  0(MSK,-)  and  CF(MSK,  st,  ■)  are  both  the  “ empty 
oracles”  that  return  nothing:  the  functional  encryption  scheme  J~E  is  then  said  to  be 
(q,  many)- query  simulation-secure  for  many  messages  against  non-adaptive  adversaries 
((q,  mcmy)-N  A-SIM-secure,  for  short)  if  there  is  a  p.p.t.  simulator  S  =  (£i,_L)  such  that 
for  every  polynomial  function  £  =  £(k)  for  every  p.p.t.  adversary  A  =  (Ai,  A2)  that  makes 
at  most  q  queries,  the  two  distributions  above  are  computationally  indistinguishable.  In  the 
special  case  where  £(k)  =  1,  we  will  call  the  scheme  (q,  one)-N A-SIM-secure. 

Note  that  this  definition  is  the  generalization  of  the  one  presented  in  Section  3  to  the  case 
where  the  adversary  receives  multiple  ciphertexts.  Intuitively,  the  above  security  definition  states 
that  whatever  information  adversary  is  able  to  learn  from  the  ciphertexts  and  secret  keys,  can  be 
obtained  by  a  simulator  from  the  secret  keys  and  the  outputs  of  the  functionality  for  the  messages 
only. 

We  remark  that  our  definitions  imply  (and  are  stronger  than)  those  of  presented  in  the  work 
of  Boneh,  Sahai  and  Waters  [BSW11].  More  formally,  for  the  adaptive  variant  we  can  instantiate 
[BSW11]  simulator  (Simi,  Simo,  Sim2)  as  follows. 

1.  Sim±  runs  FE. Setup  and  sets  pp  :=  MPK,cr  :=  MSK. 

2.  Simo  runs  FE. Keygen  algorithm  on  MSK  and  updates  a  to  include  all  oracle  queries  and 
replies  (C'jjSKj). 

3.  Sim2  computes  y*  =  Ux{-)  for  all  Ci  using  its  oracle.  Next,  it  runs  our  simulator 
£i(MPK,  {y*,  Ci,  SKj})  to  obtain  the  ciphertext  CT.  It  invokes  ^4°  on  the  ciphertext,  and 
on  any  FE. Keygen  call  it  uses  our  S2  to  obtain  a  secret  key.  Finally,  output  the  same  a  as 
A°.  The  non-adaptive  variant  follows  similarly. 

A. 2  An  Indistinguishability-Based  Definition 

Definition  A. 2  (NA-IND-  and  AD-IND-Security).  Let  TE  be  a  functional  encryption  scheme  for 
a  circuit  family  C  =  :  XK  — >  For  every  function  £  =  £(k),  every  p.p.t.  adversary 

A  =  (Ai,  A2),  consider  the  following  two  experiments: 
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E*p£Ul“): 


1: 

2: 


3: 

4 : 
5: 


(MPK,  MSK)  <-  FE.Setup(lK) 

{B0,  Si,  St)  <-  ^E  Keygen(MSK’  )(MPK) 

►  where  xq  =  (xo[l], . . .  ,xq [£]) 

►  and  x\  =  (aq[l], . . . ,  x\\£]) 

CTj  <—  FE.Enc(MPK, x0[i])  Vz  E  [£\ 

b  <-  x4°(MSK,)(MPK,  CTi, . . . ,  CT£,  st) 
Output  b 


ExpW^fl-): 


1: 

2: 


3: 

4- 

5: 


(MPK,  MSK)  <-  FE.Setup(lK) 

{Bo,  xi,  st)  <-  4E  Keygen(MSK’  )(MPK) 

►  where  xq  =  (xo[l], . . .  ,xq[£\) 

►  and  x\  =  (aq[l], . . . ,  x\\£\) 

CTj  <-  FE.Enc(MPK,xi[?:])  Vi  G  \(] 

b  ir-  ^(MSK’  }(MPK,  CTi,  •  •  • ,  CT£,  st) 
Output  b 


Define  an  admissible  adversary  A  =  {A\,A2)  as  one  which  makes  at  most  q  oracle  queries  and 
C(xo[i\)  =  C{xi[i\)  for  each  query  C  and  every  i  £  [f].  We  distinguish  between  two  cases  of  the 
above  experiment: 

1.  The  adaptive  case,  where  the  oracle  C>(MSK,-)  =  FE.Keygen(MSK,  ■);  the  functional 
encryption  scheme  TE  is  said  to  be  indistinguishable-secure  for  many  messages  against 
adaptive  adversaries  {{q,  many)- AD- 1 ND-secure,  for  short)  if  for  every  polynomial  function 
t  =  £{k)  and  every  admissible  p.p.t.  admissible  adversary  A  =  {A\,A2),  the  advantage  of  A 
defined  as  below  is  negligible  in  the  security  parameter  n: 

Ad vj7£|<|A(/«)  :=  |  Pr[Exp^  M(lK)  =  1]  -  Pr[Exp^AA(lK)  =  1]| 

where  the  probability  is  over  the  random  coins  of  the  algorithms  of  the  scheme  J~£  and  that 
of  A.  In  the  special  case  where  £(n)  =  1,  we  will  call  the  scheme  (q,  one)-AD-IND-secure. 

2.  The  non-adaptive  case,  where  the  oracle  0(MSK,  •)  is  the  “empty  oracle ”  that  returns  nothing: 
the  functional  encryption  scheme  T£  is  said  to  be  indistinguishable-secure  for  many  messages 
against  non-adaptive  adversaries  ((q,  many)-NA-IND-secure,  for  short)  if  for  every  polynomial 
function  £  =  £{k)  and  every  admissible  p.p.t.  adversary  A  =  {A^A^),  the  advantage  of  A 
defined  as  above  is  negligible  in  the  security  parameter  k. 

In  the  special  case  where  £{k)  =  1,  we  will  call  the  scheme  (q,  one)-NA-IND-secure. 

Note  that  this  definition  is  identical  to  the  definitions  presented  in  [BSW11]  and  [O’NIO],  except 
that  they  define  it  for  a  single  message  only. 

A. 3  Relations  Between  Definitions 

In  this  section,  we  prove  the  following  relations  between  the  definitions. 

•  Non-adaptive  Definitions:  When  considering  non-adaptive  definitions  (namely,  where  the 
adversary  is  constrained  to  making  secret  key  queries  only  before  he  receives  the  challenge 
ciphertext),  we  show  that  one-message  definitions  are  equivalent  to  many-message  definitions, 
both  in  the  indistinguishability  and  the  simulation  worlds. 

Put  together,  this  shows  that  it  is  sufficient  to  prove  security  for  one  message  in  the  simulation 
sense,  which  is  precisely  what  we  will  do  for  our  schemes. 
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Theorem  A.l 


NA-SIM, 


NA-SIM 


[O’NIO] 

> 

s  [BSWll]  [O’NIO]1 

) 

S  [BSWll] 

> 

S  [BSWll] 

Theorem  A.  3 

Theorem  A. 3 

NA-INDone 

- » 

< - 

NA-IND 

AD-IN  Done 

- > 

< - 

AD-IND 

The  Non-Adaptive  World 


AD-SIM. 


* 


AD-SIM5 


[BSWll] 


The  Adaptive  World 


Figure  1:  Relations  between  definitions  of  functional  encryption  in  the  non-adaptive  and  adaptive  flavors.  Regular 
blue  arrows  indicate  an  implication  between  the  definitions,  and  a  red  arrow  with  a  cross  on  it  indicates  a  separation. 
The  citations  for  all  non-trivial  implications  and  separations  are  also  shown.  Note  that  we  omit  writing  q  in  the 
abbreviations  above  (i.e.  AD-SIM=(q, mani/)-AD-SIM,  AD-SIM0,le=(g, one)-AD-SIM;  similarly  for  the  rest  of  the 
abbreviations.) 


•  Adaptive  Definitions:  When  considering  adaptive  definitions  (namely,  where  the  adversary 
is  allowed  to  make  secret  key  queries  after  receiving  the  challenge  ciphertext)  we  show  that 
for  any  q,  (q,  one)-AD-SIM  implies  (q,  one)-AD-IND  which  is  equivalent  to  (q,  ma?rt/)-AD-IND. 
We  also  construct  a  functional  encryption  scheme  and  prove  it  secure  under  (q,  one)-AD-SIM 
definition.  Therefore,  from  the  work  of  Boneh  et  al.  [BSWll]  we  can  conclude  that  ( q,one )- 
AD-SIM  does  not  imply  (q,  mcmy)-AD-SIM. 

These  relationships  are  summarized  in  Figure  1. 

Theorem  A.l.  Let  J-£  be  ( q ,  one)- NA-S I  M-secure  functional  encryption  scheme  for  a  circuit  family 
C.  Then,  TE  is  also  (q,  many)- NA-S  I  M-secure. 

Proof.  Let  Si  be  the  single  message  p.p.t.  simulator.  We  construct  a  p.p.t.  simulator  Sm. 
Intuitively,  the  multiple  message  simulator  will  just  invoke  the  single  message  simulator  many 
times.  Then,  using  the  standard  hybrid  argument  we  can  conclude  that  it  produces  output 
indistinguishable  from  the  real.  Let  t  =  l(k)  be  arbitrary  polynomial  function  and  let  A  =  ( A\,A2 ) 
be  arbitrary  p.p.t.  adversary. 

On  input  (MPK,  {yij  =  Cfixfi,  Ci ,  SK,;})  the  simulator  Sm  proceeds  as  follows:  For  each  j ,  let 

Vj  :=  \i)ij  —  Ci(xj),  Ci, 

1This  proof  was  not  explicitly  given  in  [O’NIO],  but  a  similar  proof  for  single  message  definitions  can  be  easily 
extended. 

2General  functional  encryption  for  this  definition  was  shown  impossible  in  [BSWll]  when  adversary  makes  just  2 
FE. Keygen  calls  (2-bounded  collusion).  Since  we  show  a  secure  construction  satisfying  AD-SIMone,  this  implication 
follows. 
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The  simulator  computes  and  outputs  the  ciphertext1: 


(CTi, . . . ,  CT*),  where  CTj  <-  5i(MPK,  Vj) 

Now,  let  D  be  the  distinguisher  between  the  real  and  ideal  experiments.  Then,  by  the  hybrid 
argument  D  can  distinguish  between  the  experiments  where  A2  is  given 

(CT^, . . . ,  CTU,  CTf, . . . ,  CTf)  vs  (CTf, . . . ,  CTf,  CT|+1, . . . ,  CT|) 

for  some  i,  where  CTr’s  and  CTs’s  correspond  to  the  real  and  simulated  ciphertexts,  respectively. 


We  now  construct  a  single  message  adversary  B  =  (B 1,  B2)  and  a  distinguisher  D'  as  follows: 

1.  ^E  KeygenlMSK>  )(MPK)  runs  A\  and  replies  to  its  oracle  queries  appropriately  to  get 
(xi, . . . ,  xg,  st).  It  outputs 

(x^,  St  (xi,  .  .  .  ,  Xi—\ ,  X^-f-l , . . . ,  x^,  st,  ( C j ,  SKj  )  [^] ) 

2.  1?2(MPK,  CT,  st')  first  runs  the  real  encryption  algorithm  on  input  messages  xi, . . . ,  x*_i  to 
obtain  CTf, . . . ,  CTf_, .  Then,  for  all  j  >  i  +  1  it  sets 

Vj  :=  { Uij  =  Ci(xj),  Ci,  SKj}jg[-g] 

and  runs  the  single  message  simulator  to  get  a  ciphertext  CTf  iSi(MPK,  Vj). 

3.  Finally,  it  invokes  ^(MPK,  CTf, . . . ,  CTf_1;  CT,  CT|+1, . . . ,  CT|)  and  outputs  whatever  it 
outputs. 

4.  The  distinguisher  D'  is  the  same  as  D. 

We  showed  that  if  there  exists  a  distinguisher  for  many  message  simulator,  then  we  can  break 
the  security  for  the  single  message  simulator.  This  concludes  the  proof. 

□ 

Theorem  A. 2.  Let  BE  be  (q,  one)-AD-SIM-secure  functional  encryption  scheme  for  a  circuit  family 
C.  Then,  FE  is  also  (q,  one)-AD-IND  -secure. 

Proof.  Let  A  =  {A\,A-i)  be  the  admissible  adversary  such  that  Ad vr£,t,A  is  non- negligible.  We 
construct  adversary  B  =  (B\,B2)  against  (q,  one)- AD -S\M -security. 

•  ^-Key^MSK,  I (" |\/| p K) :  Run  the  adversary  A\  and  reply  to  its  oracle  queries  using  its  own 
oracle  to  obtain  (xo, xi,  st).  Output  (xb,st*  :=  (st,  xo,  xi),  where  6  ■<— {0, 1}. 

•  B 2  ('MSK,s<  ’  ^(MPK,  CT,  st):  Run  the  adversary  ^(MPK,  CT,  st)  replying  to  its  oracle  queries 
using  its  own  oracle  to  obtain  b' .  Output  a  :=  (b' ,  st'). 

1Note,  that  this  theorem  does  not  extend  to  the  adaptive  definition.  In  particular,  the  proof  breaks  down  when 
even  trying  to  construct  the  multiple  message  simulator  to  “forge”  the  secret  keys  SK. 
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Now,  in  the  real  experiment  b  =  b'  with  probability  1/2  +  e  for  some  noticeable  e.  In  the  ideal 
experiment  since  the  simulator  is  admissible,  it  must  make  the  same  oracle  queries  to  Ux(-)  as  £>2 
makes,  which  are  the  same  queries  as  A  2  makes.  Hence,  it  must  be  the  case  that  Cj(x 0)  =  Cj(x\) 
for  all  j.  Therefore,  information  theoretically  the  simulator  gets  no  information  about  the  bit  b 
and  hence  cannot  produce  the  corresponding  ciphertext  with  probability  better  than  1/2.  Hence, 
we  can  distinguish  between  the  ideal  and  real  experiment. 

□ 

Theorem  A. 3.  Let  P£  be  (g,  one)-AD-IND/NA-IND  -secure  functional  encryption  scheme  for  a 
circuit  family  C .  Then,  P£  is  also  (g,  many)-AD-IND/NA-IND-secure,  respectively. 

Proof.  These  proofs  follow  a  standard  hybrid  argument.  □ 

As  a  result,  we  focus  on  proving  only  ( q ,  one)- NA-S I M  and  (q,  one)-AD-SIM  for  our  constructions. 
For  simplicity  we  denote  it  as  g-NA-SIM-  and  g-AD-SIM-  security. 

B  Probabilistic  Proofs 

B.l  Small  Pairwise  Intersection 

Lemma  B.l.  Let  Ti, . . . ,  T?  C  [N]  be  randomly  chosen  subsets  of  size  tP  +  1.  Let  t  =  0(g2n),  N  = 
&(P2q2t).  Then, 

Pr  (JCPnTj)  <  t  =1-2“q(k) 

where  the  probability  is  over  the  random  choice  of  the  subsets  Ti, . . . ,  Tg. 

Proof.  For  all  i,j  G  [g]  such  that  i  j ,  let  Xtj  be  a  random  variable  denoting  the  size  of  the 
intersection  of  Si  and  Sj.  Let 

x=  £  x'i 

i,j€  M  ,i¥=j 

It  is  not  hard  to  see  that  s  are  independent  random  variables.  By  the  linearity  of  expectation, 

E[X\=  J2 

Now,  for  a  fixed  set  Si  and  a  randomly  chosen  Sj  the  size  of  the  intersection  of  Si  and  Sj  follows  a 
hypergeometric  distribution,  where  tD  + 1  serves  both  as  the  number  of  success  states  and  number 
of  trials,  and  N  is  the  population  size.  Therefore, 

=  (tD  +  l)(tD  +  l)  =  {tD  +  \)2 
1  ljl  N  N 

Hence 

g(g  —  l)(tP  +  l)2  ^  10 q2t2P2 
N  “  N 

By  Chernoff  bound,  for  any  a  >  0: 

Pr[X  >  (1  +  a)/j]  < 
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Setting  t  =  Q{q2n),  N  =  Q(D2q2t)  gives  us  //  =  Q(t)  =  Q(q2K).  Applying  Chernoff  bound, 

Pr[X  >t}  =  2~n^ 


□ 


B.2  Cover- Freeness 


Lemma  B.2.  Let  Ai,...,Ag  C  [ S ]  be  randomly  chosen  subsets  of  size  v.  Let  v(k)  =  Q(k)  and 
S(k)  =  @(vq2).  Then,  for  all  i  £  [q] 

Pr[  Ai \([jAj)^]  =  l- 


where  the  probability  is  over  the  random  choice  of  subsets  A\, . . . ,  Aq. 

Proof.  Let  i  £  [q]  be  arbitrary.  Let  G  :=  Uj^Aj.  Clearly,  |G|  =  (q  —  l)u.  Let  X  be  the  random 
variable  denoting  |Aj  \  G|.  Now, 


Ai\G\  =  \Ai\-\AinG\=v-\AinG\ 


Hence, 


E[X\  =  v  -  E[\Ai  n  G|] 


Now,  E[\Ai  n  G|]  follows  a  hypergeometric  distribution  with  v  success  states,  v(q  —  1)  trials  and  S 
population  size.  Hence, 

E[\AinG\]=  ;,2(y1} 

Therefore,  E[X]  =  v  —  ( v2(q  —  1  ))/S.  Setting,  v(k)  =  O(k)  and  S(k)  =  0(vq2)  we  obtain  that 
/j  =  E[X\  =  ©(k).  By  Chernoff  bound,  for  any  0  <  a  <  1: 


Pr[X  <  (1 


a)n\  <  exp 


Applying  it  we  obtain  that  Pr[X  <  (1  —  a)/j]  =  2  n(K) .  Hence, 


Pr[A,;  \({J  Aj]  +  f>\  =  Pr[X  >  0]  >  Pr[X  >  (1  -  a)y\  =  1  -  2“n(K) 


□ 
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Abstract 

In  an  attribute-based  encryption  (ABE)  scheme,  a  ciphertext  is  associated  with  an  Gbit 
public  index  ind  and  a  message  m,  and  a  secret  key  is  associated  with  a  Boolean  predicate  P. 
The  secret  key  allows  to  decrypt  the  ciphertext  and  learn  m  iff  P(ind)  =  1.  Moreover,  the 
scheme  should  be  secure  against  collusions  of  users,  namely,  given  secret  keys  for  polynomially 
many  predicates,  an  adversary  learns  nothing  about  the  message  if  none  of  the  secret  keys  can 
individually  decrypt  the  ciphertext. 

We  present  attribute-based  encryption  schemes  for  circuits  of  any  arbitrary  polynomial 
size,  where  the  public  parameters  and  the  ciphertext  grow  linearly  with  the  depth  of  the 
circuit.  Our  construction  is  secure  under  the  standard  learning  with  errors  (LWE)  assumption. 
Previous  constructions  of  attribute-based  encryption  were  for  Boolean  formulas,  captured  by 
the  complexity  class  NC1. 

In  the  course  of  our  construction,  we  present  a  new  framework  for  constructing  ABE 
schemes.  As  a  by-product  of  our  framework,  we  obtain  ABE  schemes  for  polynomial-size 
branching  programs,  corresponding  to  the  complexity  class  LOGSPACE,  under  quantitatively 
better  assumptions. 
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1  Introduction 


Attribute-based  encryption  [SW05,  GPSW06]  is  an  emerging  paradigm  for  public-key  encryption 
which  enables  fine-grained  control  of  access  to  encrypted  data.  In  traditional  public-key  encryption, 
access  to  the  encrypted  data  is  all  or  nothing:  given  the  secret  key,  one  can  decrypt  and  read  the 
entire  message,  but  without  it,  nothing  about  the  message  is  revealed  (other  than  its  length).  In 
attribute-based  encryption,  an  encryption  of  a  message  m  is  labeled  with  a  public  attribute  vector 
ind  (also  called  the  “index”),  and  secret  keys  are  associated  with  predicates  P.  A  secret  key  sk p 
decrypts  the  ciphertext  and  recovers  the  message  m  if  and  only  if  ind  satisfies  the  predicate,  namely 
if  and  only  if  P(ind)  =  1. 

Attribute-based  encryption  captures  as  a  special  case  previous  cryptographic  notions  such  as 
identity-based  encryption  (IBE)  [Sha84,  BF01,  CocOl]  and  fuzzy  IBE  [SW05].  It  has  also  found 
applications  in  scenarios  that  demand  complex  policies  to  control  access  to  encrypted  data,  as  well 
as  in  designing  cryptographic  protocols  for  verifiably  outsourcing  computations  [PRV12]. 

The  crucial  component  in  the  security  requirement  for  attribute-based  encryption  stipulates 
that  it  resists  collusion  attacks,  namely  any  group  of  users  collectively  learns  nothing  about  the 
message  m  if  none  of  them  is  individually  authorized  to  decrypt  the  ciphertext. 

In  the  past  few  years,  there  has  been  significant  progress  in  attribute-based  encryption  in  terms 
of  efficiency,  security  guarantees,  and  diversifying  security  assumptions  [GPSW06,  Wat09,  LW10, 
LOS+10,  CHKP12,  ABBlOa,  OTIO].  On  the  other  hand,  little  progress  has  been  made  in  terms 
of  supporting  larger  classes  of  predicates.  The  state  of  the  art  is  Boolean  formulas  [GPSW06, 
LOS+10,  OTIO],  which  is  a  subclass  of  log-space  computations.  Constructing  a  secure  attribute- 
based  encryption  for  all  polynomial-time  predicates  was  posed  as  a  central  challenge  by  Boneh, 
Sahai  and  Waters  [BSW11].  We  resolve  this  problem  affirmatively  in  this  work. 

2  Our  Contributions 

We  construct  attribute-based  encryption  schemes  for  circuits  of  every  a-priori  bounded  depth,  based 
on  the  learning  with  errors  (LWE)  assumption.  In  the  course  of  our  construction,  we  present  a 
new  framework  for  constructing  attribute-based  encryption  schemes,  based  on  a  primitive  that  we 
call  “two-to-one  recoding”  (TOR).  Our  methodology  departs  significantly  from  the  current  line  of 
work  on  attribute-based  encryption  [GPSW06,  LOS+10]  and  instead,  builds  upon  the  connection 
to  garbled  circuits  developed  in  the  context  of  bounded  collusions  [SSlOb,  GVW12],  Along  the  way, 
we  make  the  first  substantial  progress  towards  the  25-year-old  open  problem  of  constructing  (fully) 
reusable  garbled  circuits.  In  a  follow-up  work,  Goldwasser  et  al.  [GKP+13]  completely  resolved  this 
open  problem;  moreover,  their  construction  relies  crucially  on  our  ABE  scheme  as  an  intermediate 
building  block.  More  details  follow. 

2.1  Attribute-based  encryption 

For  every  class  of  predicate  circuits  with  depth  bounded  by  a  polynomial  function  d  =  d{ A)  (where 
A  is  the  security  parameter),  we  construct  an  ABE  scheme  that  supports  this  class  of  circuits,  under 
the  learning  with  errors  (LWE)  assumption.  Informally,  the  (decisional)  LWE  problem  [Reg09]  asks 
to  distinguish  between  “noisy”  random  linear  combinations  of  n  numbers  s  =  (si, . . . ,  sn)  £  Z”  from 
uniformly  random  numbers  over  7Lq. 
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Regev  [Reg09]  showed  that  solving  the  LWE  problem  on  the  average  is  as  hard  as  (quantumly) 
solving  several  notoriously  difficult  lattice  problems  in  the  worst  case.  Since  then,  the  LWE 
assumption  has  become  a  central  fixture  in  cryptography.  We  now  have  a  large  body  of  work 
building  cryptographic  schemes  under  the  LWE  assumption,  culminating  in  the  construction  of  a 
fully  homomorphic  encryption  scheme  [BV11]. 

The  key  parameter  that  determines  the  hardness  of  LWE  is  the  ratio  between  the  modulus  q 
and  the  maximum  absolute  value  of  the  noise  B ;  as  such,  we  refer  to  q/B  as  the  hardness  factor 
of  LWE.  The  problem  becomes  easier  as  this  ratio  grows,  but  is  believed  to  be  hard  for  2ne-time 
algorithms  when  q/B  =  20^n‘'1 ,  where  0  <  e  <  1/2.  Our  results  will  hold  as  long  as  the  latter  holds 
for  some  constant  e. 

In  particular,  we  show: 

Theorem  2.1  (informal).  Assume  that  there  is  a  constant  0  <  e  <  1  for  which  the  LWE  problem 
is  hard  for  a  exp(n£)  factor  in  dimension  n,  for  all  large  enough  n.  Then,  for  any  polynomial  d, 
there  is  a  selectively  secure  attribute  encryption  scheme  for  general  circuits  of  depth  d. 

Moreover,  our  scheme  has  succinct  ciphertexts,  in  the  sense  that  the  ciphertext  size  depends 
polynomially  on  the  depth  d  and  the  length  i  of  the  attribute  vector  ind,  but  not  on  the  size  of  the 
circuits  in  the  class.  The  construction  as  stated  achieves  the  weaker  notion  of  selective  security,  but 
we  can  easily  obtain  a  fully  secure  scheme  following  [BB04]  (but  using  sub-exponential  hardness  in 
a  crucial  way): 

Corollary  2.2.  Assume  that  there  is  a  constant  0  <  e  <  1/2  such  that  the  LWE  problem  with  a 
factor  o/exp(ne)  is  hard  in  dimension  n  for  exp (n€)-time  algorithms.  Then,  for  any  polynomial  d, 
there  is  a  fully  secure  attribute-based  encryption  scheme  for  general  circuits  of  depth  d. 

We  also  obtain  a  new  ABE  scheme  for  branching  programs  (which  correspond  to  the  complexity 
class  LOGSPACE)  under  the  weaker  quasi-polynomial  hardness  of  LWE: 

Theorem  2.3  (informal).  There  exist  attribute-based  encryption  schemes  for  the  class  of  branching 
programs  under  either  (1)  the  hardness  of  the  LWE  problem  with  an  nw0)  factor,  or  (2)  the  bilinear 
decisional  Diffie- Heilman  assumption. 

Here,  there  is  no  a-prori  bound  on  the  size  or  the  depth  of  the  branching  program.  In  addition, 
we  achieve  succinct  ciphertexts  of  size  0(1)  where  l  is  the  number  of  bits  in  the  index.  Prior  to  this 
work,  we  only  knew  how  to  realize  IBE  and  inner  product  encryption  under  nPO'-hardness  of  LWE 
[CHKP12,  ABBlOa,  AFV11],  whereas  our  bilinear  construction  is  a  different  way  to  achieve  the 
results  of  Goyal  et  al.  [GPSW06]  which  uses  secret-sharing  for  general  access  structures.  Our 
construction  exploits  a  combinatorial  property  of  branching  programs  to  overcome  limitations 
of  previous  approaches  based  on  secret  sharing  for  monotone  formulas  (c.f.  [ABV+12]).  The 

construction  is  inspired  by  a  pairings-based  scheme  for  regular  languages  in  [Wat  12], 

We  now  move  on  to  provide  a  technical  roadmap  of  our  construction:  first,  we  define  a  new 
primitive  that  we  call  a  two-to-one  recoding  (TOR)  scheme;  we  then  show  how  TOR  gives  us  an 
attribute-based  encryption  scheme  for  circuits,  and  how  to  construct  a  TOR  scheme  from  the  LWE 
assumption. 
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2.2  New  Framework:  TOR 


A  Two-to-One  Recoding  (TOR)  scheme  is  a  family  of  (probabilistic)  functions  {Encode(pk,  •)} 
indexed  by  pk,  together  with  a  “two-to-one”  recoding  mechanism.  The  basic  computational  security 
guarantee  for  Encode(pk,  •)  is  that  of  (correlated)  pseudorandomness  [RS10]:  Encode(pk,  s)  should 
be  pseudorandom  given  Encode(pkj,  s )  for  polynomially  many  pkj’s,  where  s  is  a  uniformly  random 
“seed” . 

The  recoding  mechanism  guaratees  that  given  any  triple  of  public  keys  (pk0,  pk1;  pktgt),  there 
is  a  recoding  key  rk  that  allows  us  to  perform  the  transformation 

(Encode(pk0,  s ),  Encode(pk1,  s))  i-)-  Encode(pktgt,  s ). 

Such  a  recoding  key  rk  can  be  generated  using  either  of  the  two  secret  keys  sko  or  ski.  Furthermore, 
the  recoding  mechanism  must  satisfy  a  natural  simulation  requirement:  namely,  we  can  generate  rk 
given  just  pk0,  pkx  (and  neither  of  the  two  secret  keys),  if  we  are  allowed  to  “program”  pktgt.  That 
is,  there  are  three  ways  of  generating  the  pair  (pktgt,rk)  that  are  (statistically)  indistinguishable: 
(1)  given  pktgt,  generate  rk  using  the  secret  key  sko;  (2)  given  pktgt,  generate  rk  using  the  secret  key 
ski;  and  (3)  generate  rk  without  either  secret  key,  by  “programming”  the  output  public  key  pktgt. 

This  requirement  demonstrates  the  intuitive  guarantee  that  we  expect  from  a  two-to-one 
recoding  mechanism:  namely,  the  recoding  key  is  “useless”  given  only  one  encoding,  but  not  both 
encodings.  For  example,  it  is  easy  to  see  that  given  Encode(pk0,  s)  and  rk  (but  not  Encode(pk!,  s)), 
the  output  Encode(pktgt,  s)  is  pseudorandom.  Indeed,  this  is  because  rk  could  as  well  have  been 
“simulated”  using  ski,  in  which  case  it  is  of  no  help  in  the  distinguishing  task. 

The  simulation  requirement  also  rules  out  the  trivial  construction  from  trapdoor  functions  where 
rk  is  a  trapdoor  for  inverting  Encode(pk0,  •)  or  Encode(pki,  •). 

From  TOR  to  Garbled  Circuits.  We  start  from  the  observation  that  our  TOR  primitive 
implies  a  form  of  reusable  garbled  circuits  with  no  input  or  circuit  privacy ,  but  instead,  with  a  form 
of  authenticity  guarantee.  As  we  will  see,  this  leads  directly  into  our  attribute-based  encryption 
scheme. 

Consider  a  two-input  boolean  gate  with  input  wires  it,  v  and  output  wire  w,  computing  a  function 
G  :  {0,1}  x  {0, 1}  — >  {0, 1}.  In  Yao’s  garbled  circuit  construction,  we  associate  each  wire  with  a 
pair  of  strings  (called  “labels”),  and  we  provide  a  translation  table  comprising  of  four  values  v bc 
where  vb,c  allows  us  to  perform  the  transformation: 

J-'VjC  l— ^  Lw tG(b,c) 

The  garbled  circuits  construction  guarantees  that  given  the  translation  table  and  labels  LUtb*  and 
LV)C »  for  specific  input  bits  b*  and  c*,  we  can  obtain  Lw  Q^b*  c,\;  however,  the  other  label  at  the 
output,  namely  LWA_c{b* ,c*)  remains  hidden. 

In  our  setting,  we  replace  labels  with  public  keys,  so  that  each  wire  is  associated  with  a  pair  of 
public  keys.  As  before,  we  also  provide  a  translation  table  comprising  four  values  rkbiC  where  the 
recoding  key  rk^  c  allows  us  to  perform  the  transformation 

Encode(pku  6,s),Encode(pk„iC,s)  Encode(pk11)  G(fe  c),  s) 

The  security  properties  of  the  TOR  scheme  then  give  us  the  following  guarantee:  Given  the 
translation  table  and  encodings  of  s  corresponding  to  b*,c *,  we  clearly  compute  the  encoding 
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of  s  corresponding  to  G(b*,c*).  However,  the  encoding  corresponding  to  1  —  G(b*,c*)  remains 
pseudorandom. 

Moreover,  crucially,  the  translation  table  is  independent  of  s,  so  we  can  now  “reuse”  the 
translation  table  by  providing  fresh  encodings  with  different  choices  of  s.  In  a  sentence,  replacing 
strings  by  functions  gives  us  the  power  of  reusability. 

In  the  garbled  circuits  construction,  the  four  entries  of  the  table  are  permuted  and  thus,  one  can 
perform  the  translation  even  without  knowing  what  the  input  bits  b*  and  c*  are.  This  is  possible 
because  there  is  an  efficient  way  to  verify  when  the  “correct”  translation  key  is  being  used.  In 
contrast,  in  the  reusable  construction  above,  one  has  to  know  exactly  which  of  the  recoding  keys  to 
use.  This  is  part  of  the  reason  why  we  are  unable  to  provide  circuit  or  input  privacy,  but  instead, 
only  guarantee  authenticity ,  namely  that  an  adversary  can  obtain  only  one  of  the  two  possible 
encodings  at  the  output  wire. 

This  construction  forms  the  cornerstone  of  the  subsequent  work  of  Goldwasser,  Kalai,  Popa, 
Vaikuntanathan  and  Zeldovich  [GKP+13]  who  construct  reusable  garbled  circuits  with  input  and 
circuit  privacy,  by  additionally  leveraging  the  power  of  fully  homomorphic  encryption  [Gen09, 
BVll], 

Prom  TOR  to  Attribute-Based  Encryption.  How  is  all  this  related  to  attribute-based 
encryption?  In  our  attribute-based  encryption  scheme  for  circuits,  the  encodings  of  s  are  provided 
in  the  ciphertext,  and  the  translation  tables  are  provided  in  the  secret  key.  More  precisely,  each 
wire  is  associated  with  two  TOR  public  keys,  and  the  encryption  of  a  message  m  under  an  index 
ind  is  obtained  by  computing  Encode(pk?;  ind, ,  s)  for  every  input  wire  i.  The  output  encoding 
Encode(pkout,  s)  is  then  used  to  mask  the  message.  We  obtain  the  secret  key  corresponding  to 
a  circuit  C  by  “stitching”  multiple  translation  tables  together,  where  the  public  keys  for  the  input 
and  output  wires  are  provided  in  the  public  parameters,  and  we  pick  fresh  public  keys  for  the 
internal  wires  during  key  generation.  In  a  nutshell,  this  gives  us  the  guarantee  that  given  a  secret 
key  skc  and  an  encryption  Enc(ind,m)  such  that  C(ind)  =  1,  we  can  compute  Encode(pkout,  s )  and 
thus  recover  the  message.  On  the  other  hand,  this  value  looks  pseudorandom  if  C'(ind)  =  0. 

In  our  outline  of  reusable  garbled  circuits  with  authenticity,  we  wanted  to  reuse  the  garbled 
circuit  G(C)  across  multiple  encryptions  with  indices  i nd i ,  indo, ...  on  which  C  always  evaluates  to 
0.  In  attribute-based  encryption,  we  also  want  reusability  across  multiple  circuits  G\ ,  C2,  ■  ■  ■  all  of 
which  evaluate  to  0  on  a  fixed  index  ind  (in  addition  to  multiple  indices).  Fortunately,  the  strong 
security  properties  of  the  TOR  primitive  provide  us  with  this  guarantee. 

To  obtain  attribute-based  encryption  for  branching  programs,  we  are  able  to  support  a  different 
notion  of  translation  tables,  which  we  can  realize  using  a  slightly  weaker  notion  of  TOR.  In 
branching  programs,  the  transition  function  depends  on  an  input  variable  and  the  current  state. 
The  fact  that  one  of  these  two  values  is  always  an  input  variable  makes  things  simpler;  in  circuits, 
both  of  the  input  values  to  a  gate  could  be  internal  wires. 

TOR  from  LWE.  We  show  how  to  instantiate  TOR  from  LWE,  building  upon  previous  lattice- 
based  IBE  techniques  in  [GPV08,  CHKP12,  ABBlOa,  ABBlOb].  The  public  key  is  given  by  a 
matrix  A  6  Z"xm,  and 

Encode)  A,  s)  =  A7  s  +  e 
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where  s  E  Z™,  e  E  Z™  is  an  error  vector,  and  A 1  denotes  the  transpose  of  the  matrix  A. 
(Correlated)  pseudorandomness  follows  directly  from  the  LWE  assumption.  Given  Ao,  Ai,  Atgt  G 
Z”xm,  the  recoding  key  rk  is  given  by  a  low-norm  matrix  R  E  Z^mxm  such  that 

[  Aq  ||  Ai  ]  R  =  Atgt 


Note  that 


which  gives  us  the  recoding  mechanism.  There  are  three  ways  of  generating  the  public  key  Atgt 
together  with  the  recoding  key  R:  (1)  using  the  trapdoor  for  Ao,  (2)  using  the  trapdoor  for  Ai, 
or  (3)  first  generating  R  and  then  “programming”  Atgt  :  =  [AollAt]  R.  These  three  ways  are 
statistically  indistinguishable  by  the  “bonsai  trick”  of  [CHKP12].  In  fact,  our  recoding  mechanism 
is  very  similar  to  the  lattice  delegation  mechanism  introduced  in  [ABBlOb],  which  also  uses  random 
low  norm  matrices  to  move  from  one  lattice  to  another. 

The  multiplicative  mechanism  for  recoding  means  that  the  noise  grows  exponentially  with  the 
number  of  sequential  recodings.  This,  in  turn,  limits  the  depth  of  the  circuits  we  can  handle.  In 
particular,  the  noise  grows  by  a  multiplicative  poly(n)  factor  on  each  recoding,  which  means  that 
after  depth  d,  it  becomes  n°^d\  Since  n°^  <  q/ 4  <  2”',  we  can  handle  circuits  of  depth  0{ne ) 
(here,  the  first  inequality  is  for  correctness  and  the  second  for  security).  Viewed  differently,  setting 
the  LWE  dimension  n  =  d1^  lets  us  handle  circuits  of  maximum  depth  d  =  d(£). 

Our  weak  TOR  for  branching  programs  uses  an  additive  mechanism,  namely  the  recoding 
key  is  given  by  a  low-norm  matrix  R  E  Z”ixm  such  that  AoR  =  Atgt  —  Ai.  Note  that 
RT(Ag’s  +  eo)  +  (A^s  +  ei)  ~  A^ts  which  gives  us  our  recoding  mechanism.  Since  in  our  branching 
program  construction,  Aq  s  +  eo  will  always  be  a  fresh  encoding  provided  in  the  ciphertext,  the 
noise  accumulation  is  additive  rather  than  multiplicative. 


R7 


Aq  s  +  eo 
Af  s  +  ei 


2.3  Applications 

Let  us  now  explain  the  application  of  our  result  to  the  problem  of  publicly  verifiable  delegation  of 
computation  without  input  privacy. 

A  verifiable  delegation  scheme  allows  a  computationally  weak  client  to  delegate  expensive 
computations  to  the  cloud,  with  the  assurance  that  a  malicious  cloud  cannot  convince  the  client 
to  accept  an  incorrect  computation  [MicOO,  GKR08,  GGP10,  CKV10,  AIK10].  Recent  work  of 
Parno,  Raykova  and  Vaikuntanathan  [PRV12]  showed  that  any  attribute-based  encryption  scheme 
for  a  class  of  circuits  with  encryption  time  at  most  linear  in  the  length  of  the  index  immediately 
yields  a  two-message  delegation  scheme  for  the  class  in  the  pre-processing  model.  Namely,  there 
is  an  initial  pre-processing  phase  which  fixes  the  circuit  C  the  client  wishes  to  compute,  produces 
a  circuit  key  and  sends  it  to  the  server.  Afterwards,  to  delegate  computation  on  an  input  x,  the 
client  only  needs  to  send  a  single  message.  Moreover,  the  ensuing  delegation  scheme  satisfies  public 
delegatability,  namely  anyone  can  delegate  computations  to  the  cloud;  as  well  as  public  verifiability, 
namely  anyone  can  check  the  cloud’s  work  (given  a  “verification”  key  published  by  the  client).  The 
previous  delegation  schemes  that  satisfy  both  these  properties  (secure  in  the  standard  model) 
supported  the  class  NC1  [PRV12,  GPSW06,  LW12],  Our  attribute-based  encryption  schemes  for 
circuits  gives  us  a  verifiable  delegation  scheme  for  all  circuits,  where  the  computation  time  of  the 
client  in  the  online  phase  is  polynomial  in  the  length  of  its  input  and  the  depth  of  the  circuit,  but 
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is  otherwise  independent  of  the  circuit  size.  We  note  that  this  scheme  does  not  guarantee  privacy 
of  the  input.  Building  on  this  work,  Goldwasser  et  al.  [GKP+13]  show  how  to  achieve  a  publicly 
verifiable  delegation  scheme  with  input  privacy. 

2.4  Related  Work 

Prior  to  this  work,  the  state-of-art  for  lattice-based  predicate  encryption  was  threshold  and  inner 
product  predicates  [ABV+12,  AFV11];  realizing  Boolean  formula  was  itself  an  open  problem.  A 
different  line  of  work  considers  definitional  issues  in  the  more  general  realm  of  functional  encryption 
[BSW11,  O’NIO],  for  which  general  feasibility  results  are  known  for  the  restricted  setting  of  a- 
priori  bounded  collusions  developed  from  classical  “one-time”  garbled  circuits  [SSlOa,  GVW12]  (the 
ciphertext  size  grows  with  both  the  circuit  size  and  the  collusion  bound).  Our  methodology  takes  a 
fresh  perspective  on  how  to  achieve  reusability  of  garbled  circuits  with  respect  to  authenticity.  Our 
primitive  (TOR)  can  be  thought  of  as  a  generalization  of  the  notion  of  proxy  re-encryption  [BBS98, 
AFGH06,  HRSV11]  which  can  be  thought  of  as  a  one-to-one  re-encryption  mechanism. 

Independent  work.  Boyen  [Boyl3]  gave  a  construction  of  an  ABE  scheme  for  Boolean  formulas 
based  on  LWE;  our  result  for  LWE-based  branching  program  subsumes  the  result  since  Boolean 
formulas  are  a  subclass  of  branching  programs.  Garg,  Gentry,  Halevi,  Sahai  and  Waters  [GGH+13] 
gave  a  construction  of  attribute-based  encryption  for  general  circuits  under  a  DBDH-like  assumption 
in  multi-linear  groups  (unfortunately,  there  is  no  known  candidate  for  realizing  such  an  assumption) , 
as  well  as  a  non-standard  assumption  in  ideal  lattices  [GGH12],  The  public  parameters  in  the 
construction  also  grow  with  the  depth  of  the  circuit. 

Subsequent  Work.  Our  attribute-based  encryption  scheme  has  been  used  as  the  crucial 
component  in  the  subsequent  work  of  [GKP+13]  to  construct  a  (private  index)  functional  encryption 
scheme  with  succinct  ciphertexts.  They  also  show  a  number  of  applications  of  their  construction, 
including  reusable  garbled  circuits  with  input  and  circuit  privacy. 

Organization.  We  present  our  TOR  framework  and  its  instantiation  in  Sections  4  and  5.  We 
present  our  ABE  scheme  in  Section  6.  We  present  the  scheme  for  branching  programs  in  Section  7. 

3  Preliminaries 

Notation.  Let  PPT  denote  probabilistic  polynomial-time.  For  any  integer  q  >  2,  we  let  7Lq 
denote  the  ring  of  integers  modulo  q  and  we  represent  Zq  as  integers  in  (— q/2,q/2].  We  let  Z™xm 
denote  the  set  of  n  x  m  matrices  with  entries  in  Zg.  We  use  bold  capital  letters  (e.g.  A)  to  denote 
matrices,  bold  lowercase  letters  (e.g.  x)  to  denote  vectors.  The  notation  AT  denotes  the  transpose 
of  the  matrix  A. 

If  Ai  is  an  n  x  m  matrix  and  A2  is  an  n  x  m!  matrix,  then  [Ai||  A2]  denotes  the  n  x  (m  +  ml) 
matrix  formed  by  concatenating  Ai  and  A2.  A  similar  notation  applies  to  vectors.  When  doing 
matrix- vector  multiplication  we  always  view  vectors  as  column  vectors. 

We  say  a  function  /(n)  is  negligible  if  it  is  0{n~c )  for  all  c  >  0,  and  we  use  negl(n)  to  denote  a 
negligible  function  of  n.  We  say  f{n)  is  polynomial  if  it  is  0(nc)  for  some  c  >  0,  and  we  use  poly(n) 
to  denote  a  polynomial  function  of  n.  We  say  an  event  occurs  with  overwhelming  probability  if  its 
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probability  is  1  —  negl(n).  The  function  lgx  is  the  base  2  logarithm  of  x.  The  notation  [x]  denotes 
the  nearest  integer  to  x,  rounding  towards  0  for  half-integers. 

3.1  Attribute-Based  Encryption 

We  define  attribute-based  encryption  (ABE),  following  [GPSW06].An  ABE  scheme  for  a  class 
of  predicate  circuits  C  (namely,  circuits  with  a  single  bit  output)  consists  of  four  algorithms 
(Setup,  Enc,  KeyGen,  Dec): 

Setup(lA,  1£)  ->  (pp,  mpk,  msk)  :  The  setup  algorithm  gets  as  input  the  security  parameter  A,  the 
length  l  of  the  index,  and  outputs  the  public  parameter  (pp,  mpk),  and  the  master  key  msk.  All 
the  other  algorithms  get  pp  as  part  of  its  input. 

Enc(mpk,  ind,m)  — >  ctjnd  :  The  encryption  algorithm  gets  as  input  mpk,  an  index  ind  e  {0, 1}£  and 
a  message  m  £  M.  It  outputs  a  ciphertext  ctjnd.  Note  that  ind  is  public  given  ctjntj . 

KeyGen  (msk,  C)  — >  skc  :  The  key  generation  algorithm  gets  as  input  msk  and  a  predicate  specified 
by  C  G  C.  It  outputs  a  secret  key  skc  (where  C  is  also  public). 

Dec(skc,  ctj„d)  — >  rn  :  The  decryption  algorithm  gets  as  input  skc  and  ctjncj,  and  outputs  either  _L 
or  a  message  m  E  M. 

We  require  that  for  all  (ind,C)  such  that  C(ind)  =  1,  all  m  £  M  and  ctjnd  •<—  Enc(mpk,  ind,  m), 
Dec(skc,ctind)  =  m. 

Security  Definition.  For  a  stateful  adversary  A ,  we  define  the  advantage  function  Adv™(A)  to 
be 

ind  A(l\  1£); 

(mpk,  msk)  •(—  Setup(lA,  1£); 

.  (mo,  mi)  yfKeYGen(msk>-) (mpk),  |mo 
Pr  b  =  b  :  «  , 

b  {0, 1}; 

ctjnd  Enc(mpk,  ind,  mj); 

b'  •(—  AKeyGen(msk’')  (ctind) 

with  the  restriction  that  all  queries  C  that  A  makes  to  KeyGe 
is,  skc  does  not  decrypt  ctjnd).  an  attribute-based  encryption  scheme  is  selectively  secure  if  for  all 
PPT  adversaries  A,  the  advantage  Adv^(A)  is  a  negligible  function  in  A.  We  call  an  attribute-based 
encryption  scheme  fully  secure  if  the  adversary  A  is  allowed  to  choose  the  challenge  index  ind  after 
seeing  secret  keys,  namely,  along  with  choosing  (mo,  mi). 

3.2  Learning  With  Errors  (LWE)  Assumption 

The  LWE  problem  was  introduced  by  Regev  [Reg09],  who  showed  that  solving  it  on  the  average  is 
as  hard  as  (quantumly)  solving  several  standard  lattice  problems  in  the  worst  case. 


=  mi; 


n(msk,  •)  satisfies  C'(ind)  =  0  (that 
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Definition  3.1  (LWE).  For  an  integer  q  =  q(n)  >  2  and  an  error  distribution  x  =  x(n)  over 
TLq,  the  learning  with  errors  problem  dLWEn]r7lj(?!X  is  to  distinguish  between  the  following  pairs  of 
distributions: 


{ A,  As  +  x}  and  {A,u} 
where  A  A  Z£xm,  sAz;,xf-  Xm,  u  A  Z™. 

Connection  to  lattices.  Let  B  =  B(n)  G  N.  A  family  of  distributions  X  =  {x'njneN  is  called 
R-bounded  if 

Pr[x  €  {~B,  ...,B-1,B}]  =  1. 

There  are  known  quantum  [Reg09]  and  classical  [Pei09]  reductions  between  dLWEn)m>giX  and 
approximating  short  vector  problems  in  lattices  in  the  worst  case,  where  X  is  a  R-bounded 
(truncated)  discretized  Gaussian  for  some  appropriate  B.  The  state-of-the-art  algorithms  for  these 
lattice  problems  run  in  time  nearly  exponential  in  the  dimension  n  [AKS01,  MV10];  more  generally, 
we  can  get  a  2fc-approximation  in  time  2°ln//fc).  Combined  with  the  connection  to  LWE,  this  means 
that  the  dLWEnjmjq)X  assumption  is  quite  plausible  for  a  poly(n)-bounded  distribution  X  and  q  as 
large  as  2n  (for  any  constant  0  <  e  <  1).  Throughout  this  paper,  the  parameter  m  =  poly(n),  in 
which  case  we  will  shorten  the  notation  slightly  to  LWEn  r/  x. 

3.3  Trapdoors  for  Lattices  and  LWE 

Gaussian  distributions.  Let  be  the  truncated  discrete  Gaussian  distribution  over  Zm 

with  parameter  a ,  that  is,  we  replace  the  output  by  0  whenever  the  ||  •  ||oo  norm  exceeds  y/rn  •  a. 
Note  that  Djrn  a  is  y/rn  •  (j-bounded. 

Lemma  3.1  (Lattice  Trapdoors  [Ajt99,  GPV08,  MP12]).  There  is  an  efficient  randomized 
algorithm  TrapSamp(ln,  lm,  q)  that,  given  any  integers  n  >  1,  q  >  2,  and  sufficiently  large 
m  =  fl(nlogg),  outputs  a  parity  check  matrix  A  G  Z”xm  and  a  ‘ trapdoor ’  matrix  T  G  Zmxm 
such  that  the  distribution  of  A  is  negl (n) -close  to  uniform. 

Moreover,  there  is  an  efficient  algorithm  SampleD  that  with  overwhelming  probability  over  all 
random  choices,  does  the  following:  For  any  u  G  Z”,  and  large  enough  s  =  £l(y/n log#),  the 
randomized  algorithm  SampleD(  A,  T,  u,  s)  outputs  a  vector  r  G  Zm  with  norm  |  |r|  |oo  <  |  |r 1 1 2  <  Sy/n 
( with  probability  1).  Furthermore,  the  following  distributions  of  the  tuple  (A,T,U,R)  are  within 
negl(n)  statistical  distance  of  each  other  for  any  polynomial  k  G  N: 

•  (A,  T)  <-  TrapSamp(ln,  lm,  q);  U  G-  Z^xfc;  R  <-  SampleD(A,  T,  U,  s). 

•  (A,  T)  G-  TrapSamp(ln,  1  m,q);  R  G-  {DZmtS)k;  U  :=  AR  (mod  q). 

4  Two-to-One  Recoding  Schemes 

An  overview  is  provided  in  Section  2.2. 
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Symmetric  encryption.  In  our  construction,  we  will  use  Encode(pk,  s)  as  a  one-time  key  for  a 
symmetric-key  encryption  scheme  (E,  D).  If  Encode  is  deterministic,  then  we  could  simply  use  a  one¬ 
time  pad.  However,  since  Encode  is  probabilistic,  the  one-time  pad  will  not  guarantee  correctness. 
Instead,  we  require  (E,  D)  to  satisfy  a  stronger  correctness  guarantee,  namely  for  all  messages  m 
and  for  all  -0,  V;/  in  the  support  Encode(pk,  s),  D(i//,  E(ip,m))  =  m. 

Allowing  degradation.  With  each  recoding  operation,  the  “quality”  of  encoding  potentially 
degrades.  In  order  to  formalize  this,  we  allow  the  initial  global  public  parameters  to  depend  on 
dm ax,  an  a-prior  upper  bound  on  the  number  of  nested  recoding  operations.  We  then  require  that 
given  any  encodings  ip  and  ip'  that  are  a  result  of  at  most  dmax  nested  recodings,  D  (ip1,  E (ip,  m ))  =  m. 
We  stress  that  we  allow  dmax  to  be  super-polynomial,  and  in  fact,  provide  such  instantiations  for  a 
relaxed  notion  of  TOR. 

4.1  Definition  of  TOR 

Formally,  a  TOR  scheme  over  the  input  space  S  =  {5a}  consists  of  six  polynomial-time  algorithms 
(Params,  Keygen,  Encode,  ReKeyGen,  SimReKeyGen,  Recode)  and  a  symmetric-key  encryption  scheme 
(E,  D)  with  the  following  properties: 

•  Params(lA,  dmax)  is  a  probabilistic  algorithm  that  takes  as  input  the  security  parameter  A  and 
an  upper  bound  c?max  on  the  number  of  nested  recoding  operations  (written  in  binary),  outputs 
“global”  public  parameters  pp. 

•  Keygen  (pp)  is  a  probabilistic  algorithm  that  outputs  a  public/secret  key  pair  (pk,  sk). 

•  Encode(pk,  s )  is  a  probabilistic  algorithm  that  takes  pk  and  an  input  s  £  5,  and  outputs  an 
encoding  ip. 

In  addition,  there  is  a  recoding  mechanism  together  with  two  ways  to  generate  recoding  keys:  given 
one  of  the  two  secret  keys,  or  by  programming  the  output  public  key. 

•  ReKeyGen(pk0,  pkl5  sko,  pktgt)  is  a  probabilistic  algorithm  that  takes  a  key  pair  (pk0,sko), 
another  public  key  pk1;  a  “target”  public  key  pktgt,  and  outputs  a  recoding  key  rk. 

•  SimReKeyGen(pk0,  pkx)  is  a  probabilistic  algorithm  that  takes  two  public  keys  pk0,pk1  and 
outputs  a  recoding  key  rk  together  with  a  “target”  public  key  pktgt. 

•  Recode(rk,  ipo,  tpf)  is  a  deterministic  algorithm  that  takes  the  recoding  key  rk,  two  encodings  p>o 
and  ipi,  and  outputs  an  encoding  V’tgt- 

Remark  4.1.  For  our  instantiation  from  lattices,  we  can  in  fact  invert  Encode(pk,  s )  to  recover  s 
using  the  corresponding  sk.  However,  we  will  not  require  this  property  in  our  generic  constructions 
from  TOR.  Indeed,  realizing  this  property  over  bilinear  groups  would  be  hard,  since  s  is  typically 
encoded  in  the  exponent. 
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Correctness.  Correctness  of  a  TOR  scheme  requires  two  things.  First,  for  every  pk  and  s£5, 
there  exists  a  family  of  sets  \Epk ,s,j,j  =  0,1,...,  dmax: 

•  Pr[Encode(pk,  s)  £  ^pk,s,o]  =  li  where  the  probability  is  taken  over  the  coin  tosses  of  Encode; 

•  ^pk,s,0  —  'hpk.sq  C...C  lHpk,s,c!max  • 

•  for  all  £  'kpk,s,cZmax  and  all  m  £  M ,  E(i/>,m))  =  m. 

Note  that  these  properties  hold  trivially  if  Encode  is  deterministic  and  (E,  D)  is  the  one¬ 
time  pad.  Secondly,  the  correctness  of  recoding  requires  that  for  any  triple  of  key  pairs 
(pk0,sk0),  (pkx,  ski),  (pktgt,  sktgt),  and  any  encodings  V’o  e  ^Pk0,s,i0  and  V’l  G  ^pk^ji, 

Recode(rk,  i/;q,  ipi)  £  Hfpktgt,s,max(jo,ij1)+i 

Statistical  Security  Properties.  Note  that  we  have  three  ways  of  sampling  recoding  keys:  using 
ReKeyGen  along  with  one  of  two  secret  keys  sko  or  ski;  using  SimReKeyGen  while  programming  pktgt. 
We  require  that  all  three  ways  lead  to  the  same  distribution  of  recoding  keys,  up  to  some  statistical 
error. 

(Key  Indistinguishability)  :  Let  (pkb,skb)  •£-  Keygen(pp)  for  b  =  0, 1  and  (pktgt,  sktgt)  £- 
Keygen  (pp). 

The  following  two  ensembles  must  be  statistically  indistinguishable: 

Aux,  ReKeyGen  (pk0,  pk1;|  sk0  |,  pktgt)  « 

Aux,  ReKeyGen(pk1;  pk0,  |  ski  |,  pktgt) 

where  Aux  =  ((pk0,  sko),  (pkx ,  ski),  (pktgt,  sktgt)).  Informally,  this  says  that  sampling  recoding 
keys  using  sko  or  ski  yields  the  same  distribution. 

(Recoding  Simulation)  :  Let  (pk6,sk&)  e-  Keygen(pp)  for  b  =  0, 1.  Then,  the  following  two  ways 
of  sampling  the  tuple  [( pk0 ,  sko),  (pki,  ski),  pktgt,  rk]  must  be  statistically  indistinguishable: 

(pk0,sk0),(pk1,ski),pktgt,rk  :  (pktgt,  sktgt)  £-  Keygen(pp);  rk  £-  ReKeyGen(pk0,  pkj,  sk0,  pktgt)  w 

(pk0,sk0),(pk1,ski),pktgt,rk  :  (pktgt,rk)  £-  SimReKeyGen(pk0,  pkj) 

In  addition,  we  require  one-time  semantic  security  for  (E,  D): 

(One-time  Semantic  Security)  :  For  all  mo, mi  £  At,  the  following  two  distributions  must  be 
statistically  indistinguishable: 

mo)  •.  if;  4-  K,  ~  E(V>,  mi)  :  i/j  ■£-  /C 

For  all  three  properies,  computational  indistinguishability  is  sufficient  for  our  applications,  but  we 
will  achieve  the  stronger  statistical  indistinguishability  in  our  instantiations. 
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Computational  Security  Property.  We  require  that  given  the  encoding  of  a  random  s  on 
t  =  poly(A)  keys,  the  evaluation  at  a  fresh  key  is  pseudorandom. 

(Correlated  Pseudorandomness)  :  For  every  polynomial  l  =  £(X),  let  (pkj,skj)  Keygen(pp) 
for  i  E  [t  +  1].  Let  s  <—  S,  and  let  V’i  t—  Encode(pkj,  s)  for  i  G  [l  +  1],  Then,  the  following  two 
ensembles  must  be  computationally  indistinguishable: 


{pK,A)i£[£],pke+1,  tpe+i 


(pAVAie^b  Pkm>  "0 


That  is,  we  define  the  advantage  function  AdYJ  (A)  to  be: 


Pr 


b 


pp  ■(—  Setup(lA);  s  -c—  5; 

(pkj,  skj)  «-  Keygen(pp), 
b,  ipi  <r-  Encode(pkj,s),i  = 

-00  <-  Encode(pkm,s); 

b  A  {0,1};  A/C 

b'  -e-  ^l(pkl5 . . . ,  pk€+1,  -01,  •  ■  ■ ,  VyA>) 


1 

2 


and  we  require  that  for  all  PPT  A,  the  advantage  function  Adv^  (A)  is  a  negligible  function  in  A. 


4.2  Simple  Applications  of  TOR 

First  example.  We  revisit  the  example  from  Section  2.2.  Consider  a  two-input  boolean  gate 
g  with  input  wires  u,  v  and  output  wire  w,  computing  a  function  G  :  {0, 1}  X  {0,1}  ->■  {0,1}. 
Analogous  to  Yao’s  garbled  circuit,  we  provide  a  translation  table  T  comprising  four  values 

T  :=  (  rk6iC  :  b,c  G  {0, 1}  ) 

where  rkf,iC  allows  us  to  perform  the  transformation 

Encode(pku  6,  s),  Encode(pk^c,  s)  ^  Encode(pk11)  G(fe  c),  s) 

Now,  fix  b*,c*  and  d*  :=  G(b*,c*).  Given  an  encoding  of  s  corresponding  to  b*  and  c*,  we  can 
compute  that  under  for  d*  using  the  recoding  key  rk b*,c*\  in  addition,  we  claim  that  the  encoding 
corresponding  to  1  —  d*  remains  pseudorandom.  To  prove  this,  it  suffices  to  simulate  T  given 
PK,b*,PK,c*iPK,i-d*  as  follows: 

•  we  sample  (pk^  d*,  rk;,*)C*)  using  SimReKeyGen; 

•  we  sample  pku  1_b*  and  pk„  1_c*  along  with  the  corresponding  secret  keys;  using  these  secret 
keys,  we  can  sample  the  other  three  recoding  keys  rk^qc*,  rk&*  i_c*,  rki_(,*  i_c». 
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IBE  from  TOR.  As  a  warm-up,  we  show  how  to  build  a  selectively  secure  IBE  for  identity  space 


k  (  Pkl,0  Pk2,0  •  '  '  PkA0  Pkstart  A 

p  '  V  Pki,i  Pk2,i  •  •  •  pk*,i  pkout  J 

The  ciphertext  for  identity  ind  and  message  m  is  given  by: 

(  Encode(pkljindl,  a), . . . ,  Encode(pk£ind<,,  s),  Encode(pkstart,  s ),  E(Encode(pkout,  s),m) 
The  secret  key  for  identity  ind  is  given  by  (rki, . . . ,  rkf)  where  we  first  sample 

(pki,  ski), . . . ,  (pk^sk^)  <-  Keygen(pp) 


and  then  sample 


rki  g-  ReKeyGen(pkstart,  pkx  indl ,  skstart,  pk'i) 
rk2  G-  ReKeyGen(pk/1,  pk2  ind2, sk^,  pk'2) 

rkf  G-  ReKeyGen(pk^_1,  pk£jindf ,  sk^_1;  pkout) 

To  prove  selective  security,  we  need  to  generate  secret  keys  for  any  ind  /  ind*,  given  skljl_ind* , . . . ,  sk^j 
but  not  skstart  or  skout.  We  can  achieve  this  as  follows:  pick  an  i  for  which  ind^  ^  ind*; 

•  pick  (rki,  pk( ), . . . ,  (rkj_i,  pk'_x)  using  SimReKeyGen; 

•  pick  (pk',  sk'), . . . ,  (pkJ.j,  skj.t)  using  Keygen; 

•  pick  rkj,  rkj+i, . . . ,  rki  using  ReKeyGen  with  secret  keys  sk1_ind*,  sk', . . . ,  sk^  respectively. 

5  TOR  from  LWE 

In  this  section,  we  present  an  instantiation  of  TOR  from  LWE,  building  upon  ideas  previously 
introduced  in  [GPV08,  CHKP12,  ABBlOa,  ABBlOb], 

Lemma  5.1.  Assuming  dLWE„j(?)X  where  q  =  ne(dmax) ,  there  is  a  TOR  scheme  that  is  correct  up 
to  dmax  levels. 

•  Params(lA,  dmax):  First  choose  the  LWE  dimension  n  =  n( A).  Let  the  error  distribution  x  = 

x(n)  =  the  error  bound  B  =  B(n)  =  0(n ),  the  modulus  q  =  q(n)  =  0(n2dmax)dma-xn,  the 

number  of  samples  m  =  m(n )  =  0(n  log  q)  and  the  Gaussian  parameter  s  =  s(n)  =  0(y/n  log  9) . 
Output  the  global  public  parameters  pp  =  (n,  x,  B,  q,  m,  s ).  Dehne  the  domain  S  of  the  encoding 
scheme  to  be  Z™. 

•  Keygen(pp):  Run  the  trapdoor  generation  algorithm  TrapGen(ln,  lm,  q)  to  obtain  a  matrix 
A  €  Z£xm  together  with  the  trapdoor  matrix  T  G  Z'mxm.  Output  pk  :=  A  and  sk  :=  T. 

•  Encode(pk,  s)\  Sample  an  error  vector  e  G-  xm  and  output  the  encoding  :=  A 1  s  +  e  G  Z™ . 

12 
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The  recoding  algorithms  work  as  follows: 


•  ReKeyGen(pk0,  pkl5  skf>,  pktgt):  Let  pk0  =  Ao,  pkx  =  Ai,  skj,  =  T&  and  pktgt  =  Atgt.  Compute 
the  matrix  R  £  Z2mxm  in  the  following  way: 


—  Choose  a  discrete  Gaussian  matrix  Ri_;,  <—  (D%  s)mxrn .  Namely,  each  entry  of  the  matrix 
is  an  independent  sample  from  the  discrete  Gaussian  distribution  Dz  s. 

—  Compute  U  :=  Atgt  -  Ai_feRi_b  €  Z£xm. 

—  Compute  the  matrix  R;,  by  running  the  algorithm  SampleD  to  compute  a  matrix  Rj,  £  Zmxm 
as  follows: 

Rb  SampleD(A6,  T&,  U) 


Output 


Ro 

Ri 


G  Z 


2  mxm 


(We  remark  that  A5R5  =  U  =  Atgt  —  Ai_&Ri_6,  and  thus,  AqRq  +  A1R1  =  Atgt). 


•  SimReKeyGen(pk0,  pk:):  Let  pk0  =  Ao  and  pkj  =  Ai. 

—  Sample  a  matrix  R  {D%yS)2mxm  by  sampling  each  entry  from  the  discrete  Gaussian 
distribution  Dz,s- 

—  Define 

Atgt  :=  [A0  ||  AlReZp 
Output  the  pair  (pktgt  :=  Atgt,  rkj^  :=  R). 

•  Recode(rkQg][, r/>0, Let  rkj^  =  R.  Compute  the  recoded  ciphertext 


V»tgt  =  [V’o  II  *I>T]  R 


We  also  need  a  one-time  symmetric  encryption  scheme  (E,  D)  which  we  will  instantiate  as  an 
error-tolerant  version  of  the  one-time  pad  with  1C  =  Z”,  M  =  {0,  l}n,  as  follows: 

•  E(i/>,  fi)  takes  as  input  a  vector  ip  £  Z™  and  a  bit  string  fi  £  M  and  outputs  the  encryption 

7  :=  ip  +  fg/2]  n  (mod  q) 


•  D(ip' ,  7)  takes  as  input  a  vector  ip'  =  (ip[, . . . ,  ip'n)  £  Z™,  an  encryption  7  =  (71, ... ,  jn)  £  Z™ 
and  does  the  following.  Dehne  a  function  Round(x)  where  x  £  [—(<7  —  l)/2, ...,(</  —  l)/2]  as: 


Round(x) 


0  if  |x|  <  q/ 4 
1  otherwise 


The  decryption  algorithm  outputs  a  vector  =  (Roundel  —  ip\ ) , . . . ,  Round(yn  —  ip'n)). 
We  defer  the  analysis  of  (E,  D)  to  the  full  version. 
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5.1  Analysis 

Correctness.  We  define  the  sets  ^A,s,j  for  pk  :=  A  G  Z™xm,  s  G  Z™  and  j  G  [1 . . .  dmax]  as 
follows: 

3'a:S.j  =  {Ars  +  e  :  | |e|  |oo  <  B  ■  (2 

Given  this  dehnition: 


•  Observe  that  when  e  •(—  \m,  HeHoo  <  B  by  the  dehnition  of  %  and  B.  Pr[Encode(A,  s)  G 
^A,s,o]  =  1- 

•  ^A,s,o  Q  ^A,S,1  C  . . .  C  'I,A,s,cimaxi  by  dehnition  of  the  sets  above. 

•  For  any  two  encodings  0  =  A7  s  +  e,  07  =  Ars  +  e7  G  ^A,s,dmaX) 

110  —  0,||Oo  =  ||e  —  e'Hoo  <2  ■  B  ■  (2smy/m)'imax  <  q/ 4, 

which  holds  as  long  as  n  ■  0(n2  log q)rfmax  <  g/4.  Thus,  0  and  07  are  “close”,  and 
by  the  correctness  property  of  the  symmetric  encryption  scheme  (E,  D)  described  above, 
D(07,  E(0,  /x))  =  /x  for  any  /x  G  {0,  l}n. 


•  Consider  two  encodings  0O  G  ^Ao.sjo  and  0i  G  Ta,  ,Sji  for  any  jo ,  ,7 1  G  N,  any  Ao,  Ai  G  Z”xm 
and  s  G  Z™.  Then,  0O  =  Afs  +  eo  and  01  :=  Afs  +  ei  where  1 1 eo 1 1 00  <  B  ■  {2smy/my°  and 

Hei||oo  <  B  ■  (2 smy/rnY1 . 

Then,  the  recoded  ciphertext  0tgt  is  computed  as  follows: 


[0o  II  0i]  RoSI' 

[srA0  +  eo  1 1  sT Ai  +  ef ]  Rff 
sT  [A0  ||  Ai]  Rg  +  [e^  ||  ef]  R 
Atgt  T  etgt 


tgt 

0,1 


where  the  last  equation  is  because  Atgt  =  [Ao  ||  Ai]  RqS[  and  we  dehne  etgt 
Thus, 


R 


tgt 

0,1  ■ 


Hetgt||oc  <  rn  •  ||Rg||oo  •  (||  1 1 00  +  llelll  00) 

<  m  ■  syfrn  ■  ( B  ■  (2 smy/m)30  +  B  ■  (2 sm.y/my1) 

<  B  •  (2 smyM)max{j0’jl)+1 


exactly  as  required.  Here,  the  second  inequality  is  because  llR^Hoo  <  Sy/m  by  Lemma  3.1. 
This  hnishes  our  proof  of  correctness. 


Key  Indistinguishability.  Recall  that  in  ReKeyGen,  we  given  sampling  (Rq,Ri)  satisfying 
A0R0  +  A1R1  =  Atgt-  Key  indistinguishability  basically  says  that  we  obtain  the  same  distribution 
whether  we  use  a  trapdoor  for  Ao  or  that  for  Ai.  Indeed,  this  follows  directly  from  the  following 
statement  in  [CHKP12,  GPV08]  (see  also  [CHK09,  Theorem  3.4]):  for  every  (Ao,To),  (Ai,Ti) 
generated  by  TrapSamp(lTl,  lm,  q),  every  matrix  V  G  Z”xm,  and  any  s  =  Q(y/n log  q),  the  following 
two  experiments  generate  distributions  with  negl(n)  statistical  distance: 
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•  Sample  Ro  (-D^m  s)m,  compute  U  :=  V  —  AoRo  £  Z"xm  and  Ri  <—  SampleD(Ai,  Ti,  U,  s). 
Output  (Rq,Ri). 

•  Sample  Ri  <—  ( ,  compute  U  :=  V  —  A1R1  e  Z”xm  and  Ro  •(—  SampleD(Ao,  To,  U,  s). 
Output  (Ro,Ri). 

The  recoding  simulation  property  follows  readily  from  Lemma  3.1,  as  is  done  in  [CHKP12], 
Correlated  pseudorandomness  directly  from  the  decisional  LWE  assumption  dLWE n,(£+i)-m,q,x  where 

q  =  nQ<yd  max) 

6  Attribute-Based  Encryption  for  Circuits 

In  this  section,  we  show  how  to  construct  attribute-based  encryption  for  circuits  from  any  TOR 
scheme.  Let  TOR  be  the  scheme  consisting  of  algorithms  (Para ms,  Keygen,  Encode)  with  the  “two- 
to-one”  recoding  mechanism  (Recode,  ReKeyGen,  SimReKeyGen)  with  input  space  S.  For  every  dmax, 
let  dmaX-TOR  denote  a  secure  “two-to-one”  recoding  scheme  that  is  correct  for  dmax  recoding  levels. 

Theorem  6.1.  For  every  £  and  polynomial  dmax  =  dm ax(A),  let  Q,dmax  denote  a  family  of 
polynomial-size  circuits  of  depth  at  most  dmax  that  take  £  bits  of  input.  Assuming  the  existence 
of  a  dmax-TOR  scheme,  there  exists  a  selectively  secure  attribute-based  encryption  scheme  AB£  for 

C. 


Combining  Theorem  6.1  and  Lemma  5.1,  we  obtain  a  selectively  secure  attribute-based 
encryption  scheme  from  LWE.  Furthermore,  invoking  an  argument  from  [BB04,  Theorem  7.1]  and 
using  subexponential  hardness  of  LWE,  we  obtain  a  fully  secure  scheme: 

Corollary  6.2.  For  all  £  and  polynomial  dmax  =  dnvax(£),  there  exists  a  selectively  secure  attribute- 
based  encryption  scheme  AB£  for  any  family  of  polynomial- size  circuits  with  £  inputs  and  depth  at 
most  dmax,  assuming  the  hardness  of  dLWEn;(?)X  for  sufficiently  large  n  =  poly(A,  dmax),  q  =  n°(dmax) 
and  some  poly  (n) -bounded  error  distribution  y. 

Moreover,  assuming  2°^)  -hardness  o/dLWEnj9iX  for  parameters  n  =  poly  (A,  dmax,  £),  and  q  and 
X  as  above,  the  attribute-based  encryption  scheme  AB£  is  fully  secure. 

The  reader  is  referred  to  the  text  after  the  construction  for  further  explanation  of  how  to  choose 
the  LWE  parameters. 

Observe  that  if  we  start  with  a  TOR  scheme  that  supports  dmax  =  £u^l\  then  our  construction 
immediately  yields  an  attribute-based  encryption  scheme  for  arbitrary  polynomial-size  circuit 
families  (without  any  restriction  on  the  depth).  This  can  be  achieved  if,  for  example,  we  had 
an  LWE-based  TOR  scheme  where  q  grows  polynomially  instead  of  exponentially  in  dmax  as  in  our 
LWE-based  weak  TOR. 

We  now  prove  Theorem  6.1. 

Circuit  Representation.  Let  C\  be  a  collection  of  circuits  each  having  £  =  £(A)  input  wires 
and  one  output  wire.  Define  a  collection  C  =  {Ca}asN-  For  each  C  €  C a,  we  index  the  wires 
of  C  in  the  following  way.  The  input  wires  are  indexed  1  to  £,  the  internal  wires  have  indices 
^  +  1,^  +  2, . . . ,  |C|  —  1  and  the  output  wire  has  index  \C\ ,  which  also  denotes  the  size  of  the  circuit. 
We  assume  that  the  circuit  is  composed  of  arbitrary  two-to-one  gates.  Each  gate  g  is  indexed  as 
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a  tuple  ( u,v,w )  where  u  and  v  are  the  incoming  wire  indices,  and  w  >  max-fit,  v}  is  the  outgoing 
wire  index.  The  gate  computes  the  function  gw  :  {0, 1}  x  {0, 1}  — >  {0, 1}.  The  “fan-out  wires”  in 
the  circuit  are  given  a  single  number.  That  is,  if  the  outgoing  wire  of  a  gate  feeds  into  the  input  of 
multiple  gates,  then  all  these  wires  are  indexed  the  same.  (See  e.g.  [BHR12,  Fig  4].) 


6.1  Construction  from  TOR 

The  ABE  scheme  ABE  =  (Setup,  Enc,  KeyGen,  Dec)  is  defined  as  follows. 

Setup(lA,  1  ,  rfmax)  :  For  each  of  the  l  input  wires,  generate  two  public/secret  key  pairs.  Also, 
generate  an  additional  public/secret  key  pair: 

(pki  b,skiib)  4-  Keygen(pp)  for  i  G  [£],b  G  {0, 1} 

(pkout,sk0ut)  «-  Keygen(pp) 

Output 

mpk:=(Pf‘.«  P^°  Pj'M  ,  )  msk  :=  (  s^»  -  *’»  ) 

V  Pkl.l  Pk2,l  •  •  •  Pk1,l  Pkout  J  V  skl-l  sk2,l  •  •  •  skf,l  J 

Enc(mpk,  ind,  m)  :  For  ind  G  {0, 1}€,  choose  a  uniformly  random  s  S  and  encode  it  under  the 
public  keys  specified  by  the  index  bits: 


Encrypt  the  message  m: 
Output  the  ciphertext 


ipi  •(—  Encode(pkj  ind.,  s)  for  all  i  G  [£] 
T  4—  E(Encode(pkout,  s),m) 

Ctind  :=  (  V7 1 ,  ^2,  •  •  •  ,  1p£,  T  ) 


KeyGen(msk,  C)  : 

1.  For  every  non-input  wire  w  =  £  +  1, . . . ,  \C\  of  the  circuit  C.  and  every  b  G  {0, 1},  generate 
public/secret  key  pairs: 

(pk^  b,sk w,b)  Keygen(pp)  if  w  <  \C\  or  b  =  0 

and  set  pk^^  :=  pkout. 

2.  For  the  gate  g  =  ( u,v,w )  with  outgoing  wire  w,  compute  the  four  recoding  keys  rk™c  (for 
6,c  G  {0, 1}): 

rk%c  <-  ReKeyGen  ^pku  fe,  pk„  c,  skUi&,  pkw  gw{b  ^ 

Output  the  secret  key  which  is  a  collection  of  4(|C|  —  £)  recoding  keys 

skc  :=  (  rkb  c  :  w  G  [l  +  1,  \C\  ] ,  b,  c  G  {0,1}  ) 
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Dec(skc, ctjnd)  :  We  tacitly  assume  that  ctjncj  contains  the  index  ind.  For  w  =  l  +  1, . \C\,  let 
g  =  (u,  v,  w)  denote  the  gate  with  outgoing  wire  w.  Suppose  wires  u  and  v  carry  the  values  b* 
and  c*,  so  that  wire  w  carries  the  value  d*  :=  gw(b*,c*).  Compute 

tpw,d*  <-  Recode (Vk£ic*,Vy &*,  VVe*) 


If  C'(ind)  =  1,  then  we  would  have  computed  if\c\,i-  Output  the  message 

m  <r-  D(  ^\C\,i,r  ) 


If  C'(ind)  =  0,  output  _L. 

LWE  Parameters.  Fix  t  =  £( A)  and  dmax  =  dma,x(£),  and  suppose  the  dLWE„jrn]?)X  assumption 
holds  for  q  =  2n  for  some  0  <  e  <  1.  Then,  in  our  LWE-based  TOR,  we  will  set: 

n  =  O(dmax)  and  Q  =  n0('dmax') 

By  Corollary  6.2,  we  get  security  under  2ne-LWE. 

6.2  Correctness 

Lemma  6.3  (correctness).  Let  C  =  {Ca}aeN  be  family  where  each  C\  is  a  finite  collection 
of  polynomial- size  circuits  each  of  depth  at  most  dmax.  Let  TOR  be  a  correct  “ two-to-one ” 
recoding  scheme  for  dmax  levels.  Then,  the  construction  presented  above  is  a  correct  attribute-based 
encryption  scheme. 

Proof.  Fix  a  circuit  C  of  depth  at  most  dmax  and  an  input  ind  such  that  C(ind)  =  1.  Informally, 
we  rely  on  recoding  correctness  for  dmax  recodings  to  show  that  w  =  1, . . . ,  |C|,  we  have 

'fw.d*  =  Encode(pklUjd»,s), 

where  d*  is  the  value  carried  by  the  wire  w  and  ipwd*  is  computed  as  in  Dec.  Formally,  we  proceed 
via  induction  on  w  to  show  that 

V’w.d*  £  d*  ,s,j- 

where  j  is  the  depth  of  wire  w.  The  base  case  w  =  1  follows  immediately  from  correctness 

of  Encode.  For  the  inductive  step,  consider  a  wire  w  at  depth  j  for  some  gate  g  =  ( u ,  v,  w)  where 
u,v  <  w.  By  the  induction  hypothesis, 

Vpft*  ^  ^u,c*  £ 

where  jo,ji  <  j  denote  the  depths  of  wires  u  and  v  respectively.  It  follows  immediately  from  the 
correctness  of  Recode  that 


£  ^pk^d*  ,s,max(io,«i)+l  —  ^pk^d*  ,s ,j 

which  completes  the  inductive  proof.  Since  C'(ind)  =  1  and  pk^i  x  =  pkout,  we  have  ip\c\,i  £ 
1®rpkout,s,dmax-  Finally,  by  the  correctness  of  (E,  D),  D('0|c|)1,r)  =  m.  Ip 
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6.3  Security 

Lemma  6.4  (selective  security).  For  any  adversary  A  against  selective  security  of  the  attribute- 
based  encryption  scheme,  there  exist  an  adversary  B  against  correlated  pseudorandomness  of  TOR 
whose  running  time  is  essentially  the  same  as  that  of  A,  such  that 

Adv™  (A)  <  AdvgP(A)  +  negl(A) 

where  negl(A)  captures  the  statistical  security  terms  in  TOR. 

We  begin  by  describing  alternative  algorithms,  which  would  be  useful  later  for  constructing  the 
adversary  B  for  the  correlated  pseudorandomness  security  game. 


Alternative  algorithms.  Fix  the  selective  challenge  ind.  We  get  from  the  “outside”  the  challenge 
pp,  (pkj,  ^i)ig[£+1]  for  correlated  pseudorandomness,  The  main  challenge  is  to  design  an  alternative 
algorithm  KeyGen*  for  answering  secret  key  queries  without  knowing  ski)jnd1, . . . ,  sk^jnc^  or  skout. 
The  algorithm  KeyGen*  will  maintain  the  following  invariant:  on  input  C  with  C'(ind)  =  0, 


•  for  every  non-output  wire  w  =  1, . . . ,  |C|  —  1  carrying  the  value  b* ,  we  will  know  skW)i_{,*  but 
not  sk,,,^. . 


Moreover,  we  do  not  know  sk|C|  0  or  sk^i  x  =  skout. 
Setup*(ind,  1A,  l£,dmax)  :  Let 


Output  mpk 


( Pki,l— ind, 

, ,  skjq—indj )  ^ 

Keygen  (pp)  for  i  G  [0 

Pkout  • 

Pkf+i 

Pkj,ind,  :  = 

pkj  for  i  G  [£] 

Pkl,0 

Pk2,0  • 

. .  pk<)0 

Pkl.l 

Pk2,l  • 

•  •  Pk£,l  Pkout 

) 

Enc*(mpk,  ind,m)  :  Set  r  E(v/y+i ,  m)  and  output  the  ciphertext 


Ctind  =  ('01,  02,  •  •  •  ,  0£,  T  ) 


where  0i, . . . ,  0^+i  are  provided  in  the  challenge. 

KeyGen*(ind,  msk,  C)  :  where  C'(ind)  =  0, 

1.  For  each  internal  wire  w  £  [(,  +  1,  \  C\  —  1]  of  the  circuit  C  carrying  the  value  b*  for  input 
ind,  generate  public/secret  key  pairs: 


(Pkto.i-f.skw.i-ft*)  <-  Keygen(pp) 
We  will  generate  pku,  b*  using  SimReKeyGen  as  described  next. 
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2.  For  w  =  i  +  1, . . . ,  |C|,  let  g  =  (■ u,v,w )  denote  the  gate  for  which  w  is  the  outgoing 
wire.  Suppose  wires  u  and  v  carry  the  values  b*  and  c*,  so  that  wire  w  carries  the  value 
d*  ■=  gw(b*,c*).  By  the  invariant  above,  we  know  sknii_6*  and  sk„.i_c*  but  not  sknift*  and 
sk„iC* .  We  start  by  generating 

(pk«,,d*>  rkb*,c*)  4-  SimReKeyGen(pku  b*.  pk„c*) 

We  generate  the  other  three  recoding  keys  using  ReKeyGen  as  follows: 

rk ReKeYGen(Pka,l-b*>  P K,c*,  sk«,i-b*,  PK,gw(l-b*,c*)) 
rk ReKeyGen  (pktl  l_c,,  pkub*,  sk„;i_c*,  pkWj9w{b* 
rk]U— 6*,i— c*  ReKeyGen  (pk.u tl_5»,  pk„  i_c* ,  skn!i_;,»,  pk«,)gu,(1_6*il_c*)) 

Note  that  rk“Lfe*  c*,rk^_b*  i__c*  are  generated  the  same  way  in  both  KeyGen  and  KeyGen* 
using  skUji_b*. 

Output  the  secret  key 


skc  :=  (  rk^c  :  w  G  [i  +  1,  \C\  ] ,  b,  c  G  {0, 1}  ) 

Informally,  the  recoding  key  rk^*  1_c*  looks  the  same  as  in  Keygen  because  of  key  indistinguisha- 
bility,  and  rk^i  c*  (together  with  the  simulated  pk,u,  d* )  looks  the  same  as  in  Keygen  because  of  the 
recoding  simulation  property. 

Game  sequence.  Next,  consider  the  following  sequence  of  games.  We  use  Advo,  Advi, . . .  to 
denote  the  advantage  of  the  adversary  A  in  Games  0,  1,  etc.  Game  0  is  the  real  experiment. 

Game  i  for  i  =  1,  2, . . . ,  q.  As  in  Game  0,  except  the  challenger  answers  the  first  i  —  1  key  queries 
using  KeyGen*  and  the  remaining  q  —  i  key  queries  using  KeyGen.  For  the  i’th  key  query  C\,  we 
consider  sub-Games  i.w  as  follows: 

Game  i.w,  for  w  =  £  +  1, . . . ,  |Q|.  The  challenger  switches  (rk^c  :  6,  c  6  {0, 1})  from  KeyGen 
to  KeyGen*.  More  precisely: 

•  First,  we  switch  (pk,u,  ,  rk^i  c*)  from  KeyGen  to  KeyGen*.  This  relies  on  recoding 
simulation. 

•  Next,  we  switch  rk^i  1_CHt  from  KeyGen  to  KeyGen*.  This  relies  on  key  indistinguishabil- 
ity,  w.r.t.  skb*  and  ski_c*. 

•  The  other  two  keys  rk“_b*  c*,  rk“_b,  1_CHe  are  generated  the  same  way  in  both  KeyGen  and 
KeyGen*. 

By  key  indistinguishability  and  recoding  simulation,  we  have 

jAdvjjtw  —  AdvjiJ1)+i|  <  negl(A)  for  all  i,w 

Note  that  in  Game  q,  the  challenger  runs  Setup*  and  answers  all  key  queries  using  KeyGen* 
with  the  selective  challenge  ind  and  generates  the  challenge  ciphertext  using  Enc. 
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Game  q  +  1.  Same  as  Game  q,  except  the  challenger  generates  the  challenge  ciphertext  using  Enc* 
with  'ipe+i  =  Encode(pkf+1,  s).  Clearly, 

Advg+i  =  Advg 

Game  q  +  2.  Same  as  Game  q  +  1,  except  i/’e+i  It  is  straight-forward  to  construct  an 

adversary  B  such  that 

|Adv?+i  -  Adv9+2|  <  Adv§;P(A) 

Finally,  Adv9_|_2  <  negl(A)  by  the  one-time  semantic  security  of  (E,  D).  The  lemma  then  follows 
readily. 

7  Attribute-Based  Encryption  for  Branching  Programs 

In  this  section,  we  present  weak  TOR  and  attribute-based  encryption  for  branching  programs, 
which  capture  the  complexity  class  log-space.  As  noted  in  Section  2.2,  we  exploit  the  fact  that  in 
branching  programs,  the  transition  function  depends  on  an  input  variable  and  the  current  state; 
this  means  that  one  of  the  two  input  encodings  during  recoding  is  always  a  “depth  0”  encoding. 

Branching  programs.  Recall  that  a  branching  program  T  is  a  directed  acyclic  graph  in  which 
every  nonterminal  node  has  exactly  two  outgoing  edges  labeled  (i,0)  and  (i,  1)  for  some  i  G  [£]. 
Moreover,  there  is  a  distinguished  terminal  accept  node.  Every  input  x  G  {0, 1}^  naturally  induces 
a  subgraph  rx  containing  exactly  those  edges  labeled  (?',  Xi).  We  say  that  T  accepts  x  iff  there  is  a 
path  from  the  start  node  to  the  accept  node  in  Tx.  At  the  cost  of  possibly  doubling  the  number  of 
edges  and  vertices,  we  may  assume  that  there  is  at  most  one  edge  connecting  any  two  nodes  in  T. 

7.1  Weak  TOR 

A  weak  “two-to-one”  encoding  (wTOR)  scheme  consists  of  the  same  algorithms  as  TOR,  except 
that  Keygen(pp,j)  takes  an  additional  input  j  G  {0,1}.  That  is,  Keygen  may  produce  different 
distribution  of  public/secret  key  pairs  depending  on  j .  Moreover,  in  ReKeyGen,  the  first  public  key 
is  always  generated  using  Keygen(pp,0)  and  the  second  using  Keygen(pp,  1);  similarly,  in  Recode, 
the  first  encoding  is  always  generated  with  respect  to  a  public  key  from  Keygen(pp,0)  and  the 
second  from  Keygen(pp,  1).  Similarly,  the  correctness  and  statistical  security  properties  are  relaxed. 

Correctness.  First,  for  every  pk  and  s  G  S,  there  exists  a  family  of  sets  'hpk .s,j,j  =  0, 1, . . . ,  dmax: 

•  ^pk.Sjl  'hpk.Sjdmax- 

•  for  all  e  'hpk.Mmax  ancI  aII  m  e  At, 

D ("0  ,  E(^,  m))  =  m 

Secondly,  the  correctness  of  recoding  requires  that  for  any  triple  of  key  pairs  (pk0,  sko),  (pkl5  ski),  (pktgt,  sktgt) 
respectively  in  the  support  of  Keygen(pp,  0),  Keygen(pp,  1),  Keygen(pp,  1)  and  any  encodings  ipo  G 
Encode(pk0,  s)  and  ipi  G  'hpk^sji  where  0  <  j\, 

Recode(rk,'i/’o,'0i)  G  ^ pktgt,s,j1+i 
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Statistical  Security  Properties.  We  require  recoding  simulation  as  before,  but  not  key 
indistinguishability.  However,  we  require  the  following  additional  property: 

(Back-tracking)  :  For  all  (pk0,  sko)  Keygen(pp,  0)  and  all  (pkl5  ski),  (pktgt,  sktgt)  Keygen(pp,  1), 
the  following  distributions  are  identical: 

ReKeyGen(pk0,  pkl5  sk0,  pktgt)  =  -ReKeyGen(pk0,  pktgt,  sk0,  pk:) 

Informally,  this  says  that  switching  the  order  of  pkx  and  pktgt  as  inputs  to  ReKeyGen  is  the  same  as 
switching  the  “sign”  of  the  output.  In  our  instantiations,  the  output  of  ReKeyGen  lies  in  a  group, 
so  negating  the  output  simply  refers  to  applying  the  group  inverse  operation. 

Remark  7.1.  Due  to  the  additional  back-tracking  property,  it  is  not  the  case  that  a  TOR  implies 
a  weak  TOR.  However,  we  are  able  to  instantiate  weak  TOR  under  weaker  and  larger  classes  of 
assumptions  than  TOR. 


Computational  Security  Property.  We  define  the  advantage  function  Adv^f(A)  (modified  to 
account  for  the  additional  input  to  Keygen)  to  be  the  absolute  value  of: 


Pr 


b 


pp  <!—  Setup(lA);  s  <—  5; 

(pkj,  skj)  <-  Keygen(pp,  0), 
ipi  i-  Encode(pkj,  s),  i  =  1 
b'  :  (pkm,sk£+i)  <-  Keygen(pp,  1); 
i/jq  -t—  Encode(pk£+1,  s); 

&A{0,1};^  A/C 

b'  Al(pkl5. . . ,  pkm,^i, . . 


1 

2 


and  we  require  that  for  all  PPT  A,  the  advantage  function  Adv^f  (A)  is  a  negligible  function  in  A. 


7.2  Weak  TOR  from  LWE 

We  provide  an  instantiation  of  weak  TOR  from  LWE.  The  main  advantage  over  our  construction 
of  TOR  in  Section  5  is  that  the  dependency  of  q  on  c/max  is  linear  in  dmax  instead  of  exponential. 
Therefore,  if  q  is  quasi-polynomial,  we  can  handle  any  polynomial  dmax,  as  opposed  to  an  a-prior 
bounded  dmax. 

Lemma  7.1.  Assuming  dLWEn  u+2)m,q,x  w^ere  Q  =  0(dmSLXn3  logn),  there  is  a  weak  TOR  scheme 
that  is  correct  up  to  dmax  levels. 

Note  that  the  parameters  here  are  better  than  in  Lemma  5.1.  The  construction  of  weak  TOR 
from  learning  with  errors  follows: 

•  Params(lA,  dmax):  First  choose  the  LWE  dimension  n  =  n( A).  Let  the  error  distribution  y  = 
y(n)  =  Dz  the  error  bound  B  =  B{n)  =  0(n),  the  modulus  q  =  q(n )  =  dmax  ■  0(n3  log  n), 
the  number  of  samples  m  =  m(n)  =  0{n\ogq)  and  the  Gaussian  parameter  s  =  s(n)  = 
0(y/n  logg).  Output  the  global  public  parameters  pp  =  (n,  y,  B ,  q,  m,  s ).  Define  the  domain  S 
of  the  encoding  scheme  to  be  Z”. 
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•  Keygen(pp,  j):  Run  the  trapdoor  generation  algorithm  TrapGen(ln,  1  m,q)  to  obtain  a  matrix 
A  G  Z”xm  together  with  the  trapdoor  T.  Output 

pk  =  A;  sk  =  T. 

•  Encode(A,  s):  Sample  an  error  vector  e  4—  xm  and  output  the  encoding  xp  :=  ATs  -fee  Z™ . 

•  ReKeyGen(Ao,  Ai,  Atgt,  T):  Outputs  a  low-norm  matrix  R  such  that  AoR  =  Atgt  —  Ai.  In 
particular, 

R  4-  SampleD(Ao,  T0,  Atgt  -  Ai,  s) 

•  SimReKeyGen(Ao,  Ai):  Sample  a  matrix  R  4—  (-Dz,s)mxm  by  sampling  each  entry  from  the 
discrete  Gaussian  distribution  D%tS.  Output 

rk  . —  R,  Atgt  • —  AqR  +  At 

•  Recode(rk,  r/>0,  i/h):  Outputs  rkTxp0  +  xp1. 

Correctness.  We  define  the  sets  ^A,s,j  for  pk  :=  A  G  Z™xm,  s  G  Z”  and  j  G  [1 . . .  dmax]  as 
follows: 

vPa ,a,j  =  { ATs  +  e  :  I |e| |oo  <  B  ■  j  ■  (smy/rri)} 

The  analysis  is  similar  to  that  in  the  previous  section.  In  particular,  we  observe  right  away  that 

•  'h A,s,l  C  TA,s,1  C  .  .  .  C  $A,s,dmax. 

•  For  any  two  encodings  xp,xp'  G  1I/A,s,(2max  and  R  £  {0,  l}n,  D{xp' ,  E(xp,fj,))  =  /x,  as  long  as 

B  •  dmax  •  {smy/m)  <  q/ 4. 

•  Consider  two  encodings  A1  s  +  e  G  Encode(A,s)  and  xp1  G  Ha,  ,s,j,  for  any  j\  G  N.  Then, 

xp o  =  Aq  s  +  eo  and  -i/’t  :=  A{  s  +  ei  where  1 1 eo 1 1 00  <  B  and  ||ei||oo  <  j\  •  B  •  {smy/m). 

Then,  the  recoded  ciphertext  xptgt  is  computed  as  follows: 

V’tgt  :=  Rt^o  +  ^1 

=  Rt(Aq  s  +  eo)  +  (Afs  +  et) 

=  -^-tgts  d"  etgt 

where  the  last  equation  is  because  Atgt  =  AoR  +  At  and  we  define  etgt  :=  RTeo  +  ei.  Thus, 

I  l®tgt  1 1  00  tL  Tfl  •  ||  R|  1 00  1 1  1 1  00  T  1 1  1 1  OO 

<  m  ■  sy/m  •  B  +  B  •  ji  •  {smy/m) 

=  (ji  +  1)  •  B  ■  {smy/m) 

exactly  as  required.  Here,  the  second  inequality  is  because  ||R||oo  <  Sy/rn  by  Lemma  3.1.  This 
finishes  our  proof  of  correctness. 
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Security.  Correlated  pseudorandomness  follows  from  dLWE n,{i+2)m,q,x  where  q  =  n  ■  dmax- 
Recoding  simulation  follows  from  Lemma  3.1  by  an  argument  identical  to  the  one  for  the 
construction  of  TOR  in  Section  5.  For  back-tracking,  negation  is  simply  the  additive  inverse  over 

z- 

7.3  Weak  TOR  from  Bilinear  Maps 

We  use  asymmetric  groups  for  maximal  generality  and  for  conceptual  clarity.  We  consider  cyclic 
groups  G\,G2,Gt  of  prime  order  q  and  e  :  G\  x  G2  ->  Gt  is  a  non-degenerate  bilinear  map. 
We  require  that  the  group  operations  in  G  and  Gt  as  well  the  bilinear  map  e  are  computable 
in  deterministic  polynomial  time  with  respect  to  A.  Let  51,52  denote  random  generators  of 
Gi,G2  respectively.  The  DBDH  Assumption  says  that,  given  51, 52, 5“ ,  g2, 52  and  g3,  e(5i,52)abs  is 
pseudorandom. 

•  Params(l  \dmax):  Outputs  pp  :=  (51,  g2, 5?,  52)- 

•  Keygen(pp, j): 

—  If  j  =  0,  then  samples  t  <—  rLq  and  outputs 

(pk,  sk)  :=  ((5i/t,52/t)>i) 


-  If  j  >  1,  output  pk  -4-  G2- 

•  Encode(pk,  s): 

-  If  pk  =  (5i/4,52/4)  £  Gi  x  G2,  output  (g^)3 

-  If  pk  e  G2,  output  e(gf,  pk)s 

•  Recode(rk,  co, ,  ci):  Outputs  e(co,  rk)  •  ci. 

•  ReKeyGen((5“/t,52/f),pk1,pktgt,t):  Outputs  rk  :=  (pktgt  •  pk^1)*  e  G2. 

•  SimReKeyGen((5)t,/t, 52^),  pk1):  Picks  z  Zq  and  outputs 

rk  :=  (92 ftY’  Pktgt  :=  Pki  •  (52T 

Correctness.  Define  'kpk.sj  :=  {Encode(pk,  s)}.  For  recoding,  observe  that: 

Recode((pktgt  •  pkf1)*,  g“s/t,  e(g%,  pkx)s 

=  e(5iSA>  (P^gt  •  Pki1)*)  •  e(5“,  pk i)s 
=  e(5i,  (Pktgt  •  pk^D  •  e(5“,  pki)s 
=  e(5“,  pktgt)s  =  Encode(pktgt,  s) 

For  back-tracking,  negation  is  simply  the  multiplicative  inverse  over  Gq. 
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Security.  Correlation  pseudorandomness  follows  readily  from  the  DBDH  assumption  and  its 
random  self-reducibility. 


7.4  Attribute-Based  Encryption  from  weak  TOR 

Setup(lA,  1£,  cimax)  :  For  each  one  of  l  input  bits,  generate  two  public/secret  key  pairs.  Also, 
generate  a  public/secret  key  pair  for  the  start  and  accept  states: 

(pki)&,  skijft)  £-  Keygen(pp,  0)  for  i  £  [£\,b  £  {0, 1} 

( P kstart >  ^ kstart )  <-  Keygen (pp,  1) 

(Pkaccept>skaccept)  <-  Keygen(pp,  1) 


Output 


Pkl,0 

O 

of 

Q_ 

•  •  Pkt,0 

P  kstart 

Pkl,l 

Pk2,l  • 

•  •  Pk€,l 

P  k accept 

skl,0 

sk2,o  • 

•  •  sk£,0 

S  kstart 

ski,i 

sk2,i  • 

•  •  sk^.i 

skaccept 

mpk  := 


msk  :  = 


0  $ 

Enc(mpk,  ind,  m)  :  For  ind  £  {0,1},  choose  a  uniformly  random  s  <—  S  and  encode  it  under  the 
public  keys  specified  by  the  index  bits  and  the  start  state: 

V’i  <—  Encode(pkj  ind.,  s)  for  all  i  £  {£} 

V’start  Encode(pkstart,s) 


Encrypt  the  message: 
Output  the  ciphertext: 


KeyGen(msk,  T):  T  :  {0,1}^ 
a  single  bit. 


r  <-  E(Encode(pkaccept,  s),m) 

Ctjnd  =  (  V’li  ^2,  Ipi,  V’start,  r) 

->  {0, 1}  is  a  branching  program  that  takes  a  Obit  input  and  outputs 


•  For  every  node  u,  except  the  start  and  accept  nodes,  sample  public/secret  key  pair: 

(pk„, sku)  <-  Keygen(pp,  1) 

•  For  every  edge  (it,  v)  labeled  ( i ,  b )  in  T,  sample  a  recoding  key  rkUjt,  as  follows: 

rK,v  ReKeyGen  ^pkj  6,  pkn,  skj^,  pk^ 

The  secret  key  skp  is  the  collection  of  all  the  recoding  keys  rkUi„  for  every  edge  ( u ,  v)  in  T. 

Dec(skp,  ctintj)  :  Suppose  T(ind)  =  1;  output  _L  otherwise.  Let  II  denote  the  (directed)  path  from 
the  start  node  to  the  accept  node  in  Find.  For  every  edge  (u,v)  labeled  (i,  indj)  in  II,  apply  the 
recoding  algorithm  on  the  two  encodings  and  the  recoding  key  rkM;„: 

ipv  <-  Recode ^rkn!i,,^i,  V’u) 

If  T(ind)  =  1,  we  obtain  ^accept-  Decrypt  and  output  the  message: 

^  D  (t'accept,  j  T  ) 
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7.4.1  Correctness 

Lemma  7.2  (correctness).  Let  Q  =  -|T}a  be  a  collection  of  polynomial-size  branching  programs  of 
depth  at  most  cimax  and  let  wTOR  be  a  weak  “two-to-one”  recoding  scheme  for  cimax  levels.  Then, 
the  construction  presented  above  is  a  correct  attribute-based  encryption  scheme  for  Q . 

Proof.  Let  II  denote  the  directed  path  from  the  start  to  the  accept  nodes  in  T jncj .  We  show  via 
induction  on  nodes  v  along  the  path  II  that 


ifv  £  'I/pkt,,sJ 

where  j  is  the  depth  of  node  v  along  the  path.  The  base  case  for  v  :=  start  node  follows  immediately 
from  correctness  of  Encode.  For  the  inductive  step,  consider  a  node  v  along  the  path  II  at  depth  j 
for  some  edge  (u,v)  labeled  (i,  ind*).  By  the  induction  hypothesis, 


Ipu  £  ^pku,s,jo 

where  jo  <  j  denote  the  depths  of  node  u.  Also  by  the  correctness  of  the  Encode  algorithm,  for  all 

ie[£] 

^  ^pkijind.,s,0 

It  follows  immediately  from  the  correctness  of  Recode  that 


V’ v  £  ^pk^sjo+l  Q  ^fpkv,s,j 

which  completes  the  inductive  proof.  Since  C(ind)  =  1,  we  have 

V’accept  G  ^pkaccept,s,dmax 

Recall  that  r  E(Encode(pkaccept,  s),  m).  Finally,  by  the  correctness  of  (E,  D), 

D (^accept,  t)  =  m  □ 


7.4.2  Selective  Security 

Lemma  7.3  (selective  security).  For  any  adversary  A  against  selective  security  of  the  attribute- 
based  encryption  scheme  for  branching  programs,  there  exist  an  adversary  B  against  correlated 
pseudorandomness  of  wTOR  whose  running  time  is  essentially  the  same  as  that  of  A,  such  that 

Adv™ (A)  <  Adv§p(A)  +  negl(A) 

where  negl(A)  captures  the  statistical  security  terms  in  TOR. 

In  the  proof  of  security,  we  will  rely  crucially  on  the  following  combinatorial  property  of 
branching  programs:  for  any  input  x,  the  graph  does  not  contain  any  cycles  as  an  undirected 
graph. 
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Alternative  algorithms.  Fix  the  selective  challenge  ind.  We  also  get  a  collection  of  public 
keys,  corresponding  encodings  from  the  “outside”:  (pkj,  V;i)ie[£+2])  where  the  challenge  is  to  decide 
whether  V^+i  is  Encode(pk£+2i  s )  or  random.  The  main  challenge  is  design  an  alternative  algorithm 
KeyGen*  for  answering  secret  key  queries  without  knowing  ski ,indi ,  •  •  • ,  sk^jnc^  or  skstart,  skaccept.  We 
consider  the  following  “alternative”  algorithms. 

Setup* (l\  l£,dmax)  :  Let 


(pkj,l— indj  >  skj,l— indj) 

Pkt,ind;  • 

P  ksta,rt  • 

Pkaccept  • 


Keygen(pp,  0)  for  i  G  [H\ 
pkj  for  i  G  [t\ 

Pkm 

Pkf+2 


Define  and  output  the  master  public  key  as  follows: 


mpk  =  (  ^1,0  ^2,0  ' ' '  P^,o  P kstart 

\  Pkl,l  Pk2,l  •  •  4  Pk£,l  Pkaccept 


Enc*(mpk,  ind,  m)  :  Define 


V’i.indi 

V’start 

V’accepl 


=  for  all  i  G  [£] 

=  V’M-I 
=  i>e+2 


Encrypt  the  message  m: 


t  ^  E(V’accept,  b') 

Output  the  simulated  ciphertext 

Ctind  =  (  Vh,  "02,  •••,  ll>i,  V’start,  t) 


KeyGen*(msk, T)  :  Let  T|nd  denote  the  undirected  graph  obtained  from  T jncj  by  treating  every 
directed  edge  as  an  undirected  edge  (while  keeping  the  edge  label).  Observe  that  T(nd  satisfies 
the  following  properties: 

•  r(nd  contains  no  cycles.  This  is  because  T jncj  is  acyclic  and  every  nonterminal  node  contains 
exactly  one  outgoing  edge. 

•  The  start  node  and  the  accept  node  lie  in  different  connected  components  in  Tj  .,  since 
T(ind)  =  0. 

Simulation  invariant:  for  each  “active”  edge  labeled  (i,  indj)  from  node  u  to  node  v,  simulate 
the  recoding  key.  Choose  our  own  public/secret  key  pair  for  each  “inactive”  edges  (i,  1  —  indj) 
and  generate  the  recoding  key  honestly. 
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•  Run  a  DFS  in  r[nd  starting  from  the  start  node.  Whenever  we  visit  a  new  node  v  from  a 
node  u  along  an  edge  labeled  (*,  ind*),  we  set: 

(pky,  rkU)„)  SimReKeyGen  (pkj  ind,  pku)  if  (it,  v)  is  a  directed  edge  in  T 

(pk,y,  —  rkU)U)  SimReKeyGen  (pkj  ind.  pkn)  if  (v,  u)  is  a  directed  edge  in  T 

Here,  we  exploit  the  back-tracking  property  in  wTOR. 

Note  that  since  T(ind)  =  0,  then  the  accept  node  is  not  assigned  a  public  key  by  this  process. 

•  For  all  nodes  u  without  an  assignment,  run  (pku,sku)  «—  Keygen(pp,  1). 

•  For  every  remaining  edge  ( u ,  v)  labeled  (i,  1  —  ind,)  in  T,  sample  a  recoding  key  rkUj„  as  in 
KeyGen  using  sk^i-ind  as  follows: 

rku,v  •«-  ReKeyGen(^pkia_ind,  pku,  skia_ind,  pk„) 

The  secret  key  skp  is  simply  the  collection  of  all  the  recoding  keys  rkUi„  for  every  edge  ( u ,  v)  in 

r. 

Game  sequence.  Next,  consider  the  following  sequence  of  games.  We  use  Advo,  Advi, . . .  to 
denote  the  advantage  of  the  adversary  A  in  Games  0,  1,  etc.  Let  n  denote  the  number  of  edges  in 
a  branching  program  T  labeled  (i,  ind*)  for  some  i,  and  for  all  j  £  [n]  let  ej  denote  the  actual  edge. 

Game  0.  Real  experiment. 

Game  i  for  i  =  1,  2, . . . ,  q.  As  in  Game  0,  except  the  challenger  answers  the  first  i  —  1  key  queries 
using  KeyGen*  and  the  remaining  q  —  i  key  queries  using  KeyGen.  For  the  i’th  key  query  Tj,  we 
consider  sub-Games  i.e  as  follows: 

Game  i.j,  for  j  =  1, . . .  ,n.  For  edge  ej  =  (u,v)  labeled  (i,  indj),  the  challenger  switches  the 
simulated  recoding  key  rku^v  from  KeyGen  to  KeyGen*.  We  rely  on  recoding  simulation  and 
back-tracking  properties  simultaneously. 

By  recoding  simulation  and  back-tracking,  we  have: 

|Advjie  —  Advjie+i|  <  negl(A)  for  all  i,  e 

Note  that  in  Game  q,  the  challenger  runs  Setup*  and  answers  all  key  queries  using  KeyGen* 
with  the  selective  challenge  ind  and  generates  the  challenge  ciphertext  using  Enc. 

Game  q  +  1.  Same  as  Game  q.  except  the  challenger  generates  the  challenge  ciphertext  using  Enc* 
with  ipi+2  Encode(pk£+2,  s). 

Adv9+i  =  Advq 

Game  q  +  2.  Same  as  Game  q  +  1,  except  ^+2  /C.  It  is  straight-forward  to  construct  an 

adversary  B  such  that 

| Adv9+i  -  Advg+2|  <  Adv|p(A) 

Finally,  Advg+2  <  negl(A)  by  the  one-time  semantic  security  of  (E,  D).  The  lemma  then  follows 
readily. 
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A  Extensions 


A.l  Outsourcing  Decryption 

In  this  section  we  show  how  to  modify  our  main  construction  of  attribute-based  encryption  to 
support  outsourcing  of  decryption  circuits,  similar  to  [GHW11].  We  require  that  the  Keygen 
algorithm  returns  two  keys: 

•  the  evaluation  key  eke,  that  is  given  to  a  computationally  powerful  proxy, 

•  and  a  decryption  key  d k,  given  to  the  client. 

Given  a  ciphertext  ctjnc|,  the  proxy  must  perform  the  “bulk”  of  the  computation  and  return  a  new 
ciphertext  ct(nd  that  is  forwarded  to  the  client.  Using  the  decryption  key  dk,  the  client  can  decrypt 
and  learn  the  message  m  iff  the  predicate  C'(ind)  is  satisfied.  We  emphasize  that  that  amount  of 
computation  the  client  needs  to  perform  to  decrypt  the  message  must  be  independent  on  the  circuit 
size.  Intuitively,  the  security  ensures  that  an  adversary  should  learn  nothing  about  the  message, 
conditioned  on  that  it  queries  for  decryption  keys  dk’s  for  predicates  that  are  not  satisfied  by  the 
challenge  index  (note,  the  adversary  can  query  for  evaluation  keys  separately  for  predicates  that 
are  satisfied). 

Intuitively,  we  modify  the  main  construction  as  follows.  As  before,  the  key-generation  algorithm 
assigns  two  keys  for  each  circuit  wire.  The  evaluation  key  consists  of  all  the  recoding  keys  for  the 
circuit.  In  addition,  the  output  wire  has  another  key  pkout  which  now  plays  a  special  role.  The 
recoding  key  from  pkiCi  1  to  pkout  is  only  given  to  the  client  as  the  decryption  key.  If  C*(ind)  =  1,  the 
the  proxy  computes  an  encoding  under  the  pk^ :l  and  forwards  it  to  the  client.  The  client  applies 
the  transformation,  and  decrypts  the  message.  For  technical  reasons,  since  we  are  using  “two-to- 
one”  recoding  mechanism,  we  need  to  introduce  an  auxiliary  public  key  pkin  and  a  corresponding 
encoding. 

Setup(lA,  1^,  dmax)  :  For  each  of  the  £  input  wires,  generate  two  public/secret  key  pairs.  Also, 

nal  public/secret  key  pair: 

(pkife, skiib)  <-  Keygen (pp)  for  i  £  [£],be  {0,1} 

(pkout,  skout)  <-  Keygen  (pp) 

(pkin,  skin)  <-  Keygen  (pp) 

Pk2,0  •  •  •  Pk£,0  Pkin  A  msk  ,=  (  skbO  sk2,0  •  •  •  sk£>0  skin  \ 

P k2, 1  •  •  •  Pk£,l  Pkout  )  '  V  Skbl  sk2.1  •  •  •  Sk^i  skout  ) 

Enc(mpk,  ind,m)  :  For  ind  £  {0, 1}  ,  choose  a  uniformly  random  s  4—  S  and  encode  it  under  the 
public  keys  specified  by  the  index  bits: 

V’j  £-  Encode(pkj  ind.,  s)  for  all  i  £  [£\ 
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Output 
mpk  :  = 


Pki,0 

Pki,i 
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Encode  s  under  the  input  public  key: 


ip in  •«-  Encode(pkin,  s) 


Encrypt  the  message  m: 


t  4-  E(Encode(pkout,  s),m) 


Output  the  ciphertext 

chnd  :=  (  Vh,  ip2, 


Ipi,  1pm,  T  ) 


KeyGen(msk,  C)  : 

1.  For  every  non-input  wire  w  =  £  +  1, . . . ,  \C\  of  the  circuit  C.  and  every  b  £  {0, 1},  generate 
public/secret  key  pairs: 

(pKu,6>  sKu,b)  <-  Keygen  (pp) 

2.  For  the  gate  g  =  ( u ,  v,  w)  with  output  wire  w,  compute  the  four  recoding  keys  rk^c  (for 
b,c€  {0, 1}): 

rkfe,’c  ^  ReKeyGen  ^pku  fe,  pk[I  C,  skUife,  pkw  gw{b  ^ 

3.  Also,  compute  the  recoding  key 

rk°ut  ReKeyGen  ^pk|C|1,pkin,sk|C.|1,pkout) 

Output  the  evaluation  key  which  is  a  collection  of  4(|C|  —  i)  recoding  keys 

ekG  :=  (  rk^c  :  w  £  [i  +  1,  \C\  ]  *  b,  c  £  {0,1}  ) 
and  the  decryption  key  dk  :=  rkout. 

Eval(eke,  ctin<j)  :  We  tacitly  assume  that  ct;ncj  contains  the  index  ind.  For  w  =  £  +  1, . . . ,  |C|,  let 
g  =  (■ u,v,w )  denote  the  gate  with  output  wire  w.  Suppose  wires  u  and  v  carry  the  values  b* 
and  c*,  so  that  wire  w  carries  the  value  d*  :=  gw(b* ,c*).  Compute 

ipw,d*  £-  Recode ^rk^,jC* ,  ipUtb* ,  ipv,c*^j 

If  C (ind)  =  1,  then  we  would  have  computed  ip\c\,i-  Output 

Ctind  :=  i^\C\,\,1pm,T) 

If  C(ind)  =  0,  output  _L. 

Dec(dk,  ct(nd)  :  Apply  the  transformation 

V’out  £-  Recode^rkout,  V’in,  V;|C|.i) 

and  output  the  message 

m  4-  D(  V’out  ,t  ) 
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Security.  We  informally  state  how  to  modify  the  simulator  in  the  proof  of  security  in  Section-6.4. 
The  simulator  gets  { p  k  z ,  4>i}i£\e+2]  from  the  “outside”.  It  assigns  pk1,...,pk£  as  the  public  keys 
specified  by  the  bits  of  ind  and  pkin  :=  pk^+1,  pkout  :=  pk£+2.  It  is  easy  to  see  how  to  simulate  the 
ciphertext:  all  the  input  encodings  become  a  part  of  it,  as  well  as  an  encryption  of  the  message 
using  r/>out  :=  ipe+2-  Now,  the  evaluation  key  ek  is  simulated  by  applying  the  TOR  simulator. 

•  For  query  C  such  that  C'(ind)  =  0,  the  simulator  can  choose  (pk^i  1;  skid,!.)  by  itself  (the  public 
key  pk|C|  0  is  “fixed”  by  the  TOR  simulator).  Hence,  the  decryption  key  dk  can  be  computed 
using  skicip. 

•  On  the  other  hand,  for  query  C  such  that  C(ind)  =  1,  the  adversary  is  not  allowed  to  obtain 
the  decryption  key  dk,  hence  there  is  not  need  to  simulate  it. 

A. 2  Extending  Secret  Keys 

Consider  the  following  problem:  a  users  holds  two  (or  more)  secret  keys  sk^  and  skc2.  C\  allows 
to  decrypt  all  ciphertexts  addressed  to  human  resources  department  and  C2  allows  to  decrypt 
ciphertexts  addressed  to  share  holders.  The  user  wishes  to  create  (and  delegate)  another  secret 
key  skc*  that  allows  to  decrypt  ciphertexts  addressed  to  human  resources  and  share  holders.  The 
question  that  we  study  is  whether  it  is  possible  to  allow  the  user  to  compute  sko  without  calling 
the  authority  holding  the  master  secret  key  msk.  More  formally,  given  {sk^jigtqi  a  users  should  be 
able  to  compute  a  secret  key  skf»  for  any  circuit  C*  that  is  an  black-box  monotone  composition  of 
Cj’s.  Note  that  only  monotone  compositions  are  realizable,  since  otherwise  a  users  holding  a  secret 
keys  skq^  where  C'i(ind)  =  0  could  come  up  with  a  secret  key  for  C\  and  hence  break  any  notion  of 
security. 

To  suppose  monotone  extensions,  it  is  enough  to  show  how  to  obtain  (1)  skc,  and  C2  given 
skc^ ,  skc2 ,  and  (2)  sk^  0R  c2  given  sk^ ,  skc2 .  We  start  from  the  construction  presented  in  Section- 
A.l.  We  note  that  the  security  of  that  construction  does  not  break  if  we  give  the  secret  key 
associated  with  the  output  value  0  (ski^n)  as  a  part  of  the  secret  key  sk^.  This  is  because  our 
simulation  proceeds  by  sampling  (pk^i^,  skiQ^)  honestly  using  Keygen  algorithm  and  the  fact 
the  adversary  is  restricted  to  quires  C\  such  that  C'j(ind)  =  0.  Hence,  given  sk|Cl|;1  and  skiC2i  1; 
let  C*  =  C±  and  C2.  The  user  computes  skc*  as  (ekc17ekc2)  plus  four  recoding  keys  rkpc  (for 
6,  cE  {0,1}): 

(pk|C*l  0,  rk£o)  <-  SimReKeyGen(pk|Ci|  0,  pk|C2|0) 

ReKeyGenfpki^i  o,  pki^i^jSki^i  x,  pk^^  Q 

rkgo  4—  ReKeyGen  f  pk^i^,  pk|C2|)0,  sk|Oi|,n  Pk|C*|,o 
rkpi  ^  ReKeyGen  (pkicp^,  pk|C2|;1,  sk^p^,  pkout) 

As  before,  the  message  is  encrypted  under  the  encoding  i/j0 ut  <—  Encode(pkout,  s).  The  construction 
extends  similarly  to  support  OR  compositions.  Furthermore,  arbitrary  monotone  structures  can 
be  realized  by  sampling  keys  associated  with  value  1  (pk1;  ski)  honestly  and  computing  the  recoding 
keys  as  above,  until  the  final  wire  is  assigned  to  pkout. 
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Abstract 

We  construct  the  first  (key-policy)  attribute-based  encryption  (ABE)  system  with  short 
secret  keys:  the  size  of  keys  in  our  system  depends  only  on  the  depth  of  the  policy  circuit, 
not  its  size.  Our  constructions  extend  naturally  to  arithmetic  circuits  with  arbitrary  fan-in 
gates  thereby  further  reducing  the  circuit  depth.  Building  on  this  ABE  system  we  obtain  the 
first  reusable  circuit  garbling  scheme  that  produces  garbled  circuits  whose  size  is  the  same  as 
the  original  circuit  plus  an  additive  poly(A,d)  bits,  where  A  is  the  security  parameter  and  d  is 
the  circuit  depth.  Save  the  additive  poly(A,d)  factor,  this  is  the  best  one  could  hope  for.  All 
previous  constructions  incurred  a  multiplicative  poly(A)  blowup.  As  another  application,  we 
obtain  (single  key  secure)  functional  encryption  with  short  secret  keys. 

We  construct  our  attribute-based  system  using  a  mechanism  we  call  fully  key-homomorphic 
encryption  which  is  a  public-key  system  that  lets  anyone  translate  a  ciphertext  encrypted  under 
a  public-key  x  into  a  ciphertext  encrypted  under  the  public-key  (/(x),  /)  of  the  same  plaintext, 
for  any  efficiently  computable  /.  We  show  that  this  mechanism  gives  an  ABE  with  short  keys. 
Security  is  based  on  the  sub  exponential  hardness  of  the  learning  with  errors  problem. 

We  also  present  a  second  (key-policy)  ABE,  using  multilinear  maps,  with  short  ciphertexts: 
an  encryption  to  an  attribute  vector  x  is  the  size  of  x  plus  poly(A,  d)  additional  bits.  This  gives 
a  reusable  circuit  garbling  scheme  where  the  size  of  the  garbled  input  is  short,  namely  the  same 
as  that  of  the  original  input,  plus  a  poly(A,  d)  factor. 

*This  is  the  full  version  of  a  paper  that  appeared  in  Eurocrypt  2014  [BGG+14].  This  work  is  a  merge  of  two 
closely  related  papers  [GGH+13d,  BNS13]. 
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1  Introduction 


(Key-policy)  attribute-based  encryption  [SW05,  GPSW06]  is  a  public-key  encryption  mechanism 
where  every  secret  key  sky  is  associated  with  some  function  /  :  X  y  and  an  encryption  of  a 
message  p  is  labeled  with  a  public  attribute  vector  x  £  X .  The  encryption  of  p  can  be  decrypted 
using  sky  only  if  /(x)  =  0  £  y.  Intuitively,  the  security  requirement  is  collusion  resistance:  a 
coalition  of  users  learns  nothing  about  the  plaintext  message  p  if  none  of  their  individual  keys  are 
authorized  to  decrypt  the  ciphertext. 

Attribute-based  encryption  (ABE)  is  a  powerful  generalization  of  identity-based  encryption  [Sha84, 
BF03,  CocOl]  and  fuzzy  IBE  [SW05,  ABV+12]  and  is  a  special  case  of  functional  encryption  [BSW11]. 

It  is  used  as  a  building-block  in  applications  that  demand  complex  access  control  to  encrypted 
data  [PTMW06],  in  designing  protocols  for  verifiably  outsourcing  computations  [PRV12],  and  for 
single- use  functional  encryption  [GKP+13bj.  Here  we  focus  on  key-policy  ABE  where  the  access 
policy  is  embedded  in  the  secret  key.  The  dual  notion  called  ciphertext-policy  ABE  can  be  realized 
from  this  using  universal  circuits,  as  explained  in  [GPSW06,  GGH+13c]. 

The  past  few  years  have  seen  much  progress  in  constructing  secure  and  efficient  ABE  schemes 
from  different  assumptions  and  for  different  settings.  The  first  constructions  [GPSW06,  LOS+10, 
OTIO,  LW12,  Watl2,  Boyl3,  HW13]  apply  to  predicates  computable  by  Boolean  formulas  which 
are  a  subclass  of  log-space  computations.  More  recently,  important  progress  has  been  made  on  con¬ 
structions  for  the  set  of  all  polynomial-size  circuits:  Gorbunov,  Vaikuntanathan,  and  Wee  [GVW13] 
gave  a  construction  from  the  Learning  With  Errors  (LWE)  problem  and  Garg,  Gentry,  Halevi,  Sa- 
hai,  and  Waters  [GGH+13c]  gave  a  construction  using  multilinear  maps.  In  both  constructions  the 
policy  functions  are  represented  as  Boolean  circuits  composed  of  fan-in  2  gates  and  the  secret  key 
size  is  proportional  to  the  size  of  the  circuit. 

Our  results.  We  present  two  new  key-policy  ABE  systems.  Our  first  system,  which  is  the 
centerpiece  of  this  paper,  is  an  ABE  based  on  the  learning  with  errors  problem  [Reg05]  that  supports 
functions  /  represented  as  arithmetic  circuits  with  large  fan-in  gates.  It  has  secret  keys  whose  size 
is  proportional  to  depth  of  the  circuit  for  /,  not  its  size.  Secret  keys  in  previous  ABE  constructions 
contained  an  element  (such  as  a  matrix)  for  every  gate  or  wire  in  the  circuit.  In  our  scheme  the 
secret  key  is  a  single  matrix  corresponding  only  to  the  final  output  wire  from  the  circuit.  We  prove 
selective  security  of  the  system  and  observe  that  by  a  standard  complexity  leveraging  argument  (as 
in  [BB11])  the  system  can  be  made  adaptively  secure. 

Theorem  1.1  (Informal).  Let  A  be  the  security  parameter.  Assuming  subexponential  LWE,  there 
is  an  ABE  scheme  for  the  class  of  functions  with  depth-d  circuits  where  the  size  of  the  secret  key 
for  a  circuit  C  is  poly  (A,  d). 

Our  second  ABE  system,  based  on  multilinear  maps  ([BS02],[GGH13a]),  optimizes  the  cipher- 
text  size  rather  than  the  secret  key  size.  The  construction  here  relies  on  a  generalization  of  broad¬ 
cast  encryption  [FN93,  BGW05,  BW13]  and  the  attribute-based  encryption  scheme  of  [GGH+13c]. 
Previously,  ABE  schemes  with  short  ciphertexts  were  known  only  for  the  class  of  Boolean  formu¬ 
las  [ALdPll]. 

Theorem  1.2  (Informal).  Let  A  be  the  security  parameter.  Assuming  that  d-level  multilinear  maps 
exist,  there  is  an  ABE  scheme  for  the  class  of  functions  with  depth-d  circuits  where  the  size  of  the 
encryption  of  an  attribute  vector  x  is  |x|  +  poly(A,  d). 
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Our  ABE  schemes  result  in  a  number  of  applications  and  have  many  desirable  features,  which 
we  describe  next. 

Applications  to  reusable  garbled  circuits.  Over  the  years,  garbled  circuits  and  variants  have 
found  many  uses:  in  two  party  [Yao86]  and  multi-party  secure  protocols  [GMW87,  BMR90],  one¬ 
time  programs  [GKR08],  key-dependent  message  security  [BHHI10],  verifiable  computation  [GGP10], 
homomorphic  computations  [GHV10]  and  many  others.  Classical  circuit  garbling  schemes  produced 
single-use  garbled  circuits  which  could  only  be  used  in  conjunction  with  one  garbled  input.  Gold- 
wasser  et  al.  [GKP+13b]  recently  showed  the  first  fully  reusable  circuit  garbling  schemes  and  used 
them  to  construct  token-based  program  obfuscation  schemes  and  fc-time  programs  [GKP+13b], 

Most  known  constructions  of  both  single-use  and  reusable  garbled  circuits  proceed  by  garbling 
each  gate  to  produce  a  garbled  truth  table,  resulting  in  a  multiplicative  size  blowup  of  poly  (A).  A 
fundamental  question  regarding  garbling  schemes  is:  How  small  can  the  garbled  circuit  be? 

There  are  three  exceptions  to  the  gate-by-gate  garbling  method  that  we  are  aware  of.  The 
first  is  the  “free  XOR”  optimization  for  single-use  garbling  schemes  introduced  by  Kolesnikov  and 
Schneider  [KS08]  where  one  produces  garbled  tables  only  for  the  AND  gates  in  the  circuit  C.  This 
still  results  in  a  multiplicative  poly(A)  overhead  but  proportional  to  the  number  of  AND  gates 
(as  opposed  to  the  total  number  of  gates).  Secondly,  Lu  and  Ostrovsky  [L013]  recently  showed 
a  single-use  garbling  scheme  for  RAM  programs,  where  the  size  of  the  garbled  program  grows  as 
poly  (A)  times  its  running  time.  Finally,  Goldwasser  et  al.  [GKP+13a]  show  how  to  (reusably)  garble 
non-uniform  Turing  machines  under  a  non-standard  and  non-falsifiable  assumption  and  incurring 
a  multiplicative  poly(A)  overhead  in  the  size  of  the  non- uniformity  of  the  machine.  In  short,  all 
known  garbling  schemes  (even  in  the  single-use  setting)  suffer  from  a  multiplicative  overhead  of 
poly(A)  in  the  circuit  size  or  the  running  time. 

Using  our  first  ABE  scheme  (based  on  LWE)  in  conjunction  with  the  techniques  of  Goldwasser 
et  al.  [GKP+13b],  we  obtain  the  first  reusable  garbled  circuits  whose  size  is  \C\  +  poly(A,d).  For 
large  and  shallow  circuits,  such  as  those  that  arise  from  database  lookup,  search  and  some  machine 
learning  applications,  this  gives  significant  bandwidth  savings  over  previous  methods  (even  in  the 
single  use  setting). 

Theorem  1.3  (Informal).  Assuming  subexponential  LWE,  there  is  a  reusable  circuit  garbling 
scheme  that  garbles  a  depth-d  circuit  C  into  a  circuit  C  such  that  \C\  =  \C\  +  poly(A,d),  and 
garbles  an  input  x  into  an  encoded  input  x  such  that  \x\  =  |ar|  •  poly  (A,  o?)  - 

We  next  ask  if  we  can  obtain  short  garbled  inputs  of  size  |x|  =  |x|  +  poly(A,  d),  analogous  to  what 
we  achieved  for  the  garbled  circuit.  In  a  beautiful  recent  work,  Applebaum,  Ishai,  Kushilevitz  and 
Waters  [AIKW13]  showed  constructions  of  single-use  garbled  circuits  with  short  garbled  inputs  of 
size  |x|  =  |x|  +  poly(A).  We  remark  that  while  their  garbled  inputs  are  short,  their  garbled  circuits 
still  incur  a  multiplicative  poly(A)  overhead. 

Using  our  second  ABE  scheme  (based  on  multilinear  maps)  in  conjunction  with  the  techniques 
of  Goldwasser  et  al.  [GKP+13b],  we  obtain  the  first  reusable  garbling  scheme  with  garbled  inputs 
of  size  |x|  +  poly(A,d). 

Theorem  1.4  (Informal).  Assuming  subexponential  LWE  and  the  existence  of  d-level  multilinear 
maps,  there  is  a  reusable  circuit  garbling  scheme  that  garbles  a  depth-d  circuit  C  into  a  circuit 
C  such  that  \C\  =  \C\  ■  poly(A,d),  and  garbles  an  input  x  into  an  encoded  input  x  such  that 
|x|  =  |x|  +  poly(A,  d ). 
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A  natural  open  question  is  to  construct  a  scheme  which  produces  both  short  garbled  circuits 
and  short  garbled  inputs.  We  first  focus  on  describing  the  ABE  schemes  and  then  give  details  of 
the  garbling  scheme. 

ABE  for  arithmetic  circuits.  For  a  prime  q,  our  first  ABE  system  (based  on  LWE)  directly 
handles  arithmetic  circuits  with  weighted  addition  and  multiplication  gates  over  Zq,  namely  gates 
of  the  form 


g+{xi,  •  •  •  ,xk)  =  aixi  +  . . .  +  akxk  and  gx  (aq, . . ,  f.xk)  =  a  •  aq  •  •  ■  xk 

where  the  weights  ay  can  be  arbitrary  elements  in  Zg.  Previous  ABE  constructions  worked  with 
Boolean  circuits. 

Addition  gates  g+  take  arbitrary  inputs  aq, ... ,  aq  e  Z9.  However,  for  multiplication  gates  gx, 
we  require  that  the  inputs  are  somewhat  smaller  than  q,  namely  in  the  range  [— p,p\  for  some  p  <  q. 
(In  fact,  our  construction  allows  for  one  of  the  inputs  to  gx  to  be  arbitrarily  large  in  Z9).  Hence, 
while  /  :  Zg  — >  Zq  can  be  an  arbitrary  polynomial-size  arithmetic  circuit,  decryption  will  succeed 
only  for  attribute  vectors  x  for  which  /(x)  =  0  and  the  inputs  to  all  multiplication  gates  in  the 
circuit  are  in  [—p,p\.  We  discuss  the  relation  between  p  and  q  at  the  end  of  the  section. 

We  can  in  turn  apply  our  arithmetic  ABE  construction  to  Boolean  circuits  with  large  fan-in 
resulting  in  potentially  large  savings  over  constructions  restricted  to  fan-in  two  gates.  An  AND 
gate  can  be  implemented  as  A(aq, . . . ,  aq)  =  aq  •  •  •  aq  and  an  OR  gate  as  V(xi, . . . ,  aq)  =  1  —  (1  — 
aq)  •••(].  —  Xk)-  In  this  setting,  the  inputs  to  the  gates  g+  and  gx  are  naturally  small,  namely 
in  {0, 1}.  Thus,  unbounded  fan-in  allows  us  to  consider  circuits  with  smaller  size  and  depth,  and 
results  in  smaller  overall  parameters. 

ABE  with  key  delegation.  Our  first  ABE  system  also  supports  key  delegation.  That  is,  using 
the  master  secret  key,  user  Alice  can  be  given  a  secret  key  sky  for  a  function  /  that  lets  her  decrypt 
whenever  the  attribute  vector  x  satisfies  /(x)  =  0.  In  our  system,  for  any  function  g,  Alice  can 
then  issue  a  delegated  secret  key  sk yA9  to  Bob  that  lets  Bob  decrypt  if  and  only  if  the  attribute 
vector  x  satisfies  /(x)  =  p(x)  =  0.  Bob  can  further  delegate  to  Charlie,  and  so  on.  The  size  of  the 
secret  key  increases  quadratically  with  the  number  of  delegations. 

We  note  that  Gorbunov  et  al.  [GVW13]  showed  that  their  ABE  system  for  Boolean  circuits 
supports  a  somewhat  restricted  form  of  delegation.  Specifically,  they  demonstrated  that  using  a 
secret  key  sky  for  a  function  /,  and  a  secret  key  sk9  for  a  function  g ,  it  is  possible  to  issue  a  secret 
key  sk yAff  for  the  function  /  A  g.  In  this  light,  our  work  resolves  the  naturally  arising  open  problem 
of  providing  full  delegation  capabilities  (i.e.,  issuing  skyA9  using  only  sky). 

1.1  Building  an  ABE  for  arithmetic  circuits  with  short  keys 

Key-homomorphic  public-key  encryption.  We  obtain  our  ABE  by  constructing  a  public-key 
encryption  scheme  that  supports  computations  on  public  keys.  Basic  public  keys  in  our  system 
are  vectors  x  in  Z^  for  some  i.  Now,  let  x  be  a  tuple  in  Zq  and  let  /  :  — >•  Zg  be  a  function 
represented  as  a  polynomial-size  arithmetic  circuit.  Key-homomorphism  means  that: 

anyone  can  transform  an  encryption  under  key  x  into  an  encryption  under  key  /(x). 
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More  precisely,  suppose  c  is  an  encryption  of  message  g  under  public- key  x  £  Z^.  There  is  a 
public  algorithm  Evalct(/,  x,  c)  — >  c y  that  outputs  a  ciphertext  c y  that  is  an  encryption  of  g 
under  the  public- key  /(x)  6Z?.  In  our  constructions  Evalct  is  deterministic  and  its  running  time 
is  proportional  to  the  size  of  the  arithmetic  circuit  for  /. 

If  we  give  user  Alice  the  secret-key  for  the  public- key  0  £  Z9  then  Alice  can  use  Evalct  to  decrypt  c 
whenever  /(x)  =  0,  as  required  for  ABE.  Unfortunately,  this  ABE  is  completely  insecure!  This  is 
because  the  secret  key  is  not  bound  to  the  function  /:  Alice  could  decrypt  any  ciphertext  encrypted 
under  x  by  simply  finding  some  function  g  such  that  g(x)  =  0. 

To  construct  a  secure  ABE  we  slightly  extend  the  basic  key-homomorphism  idea.  A  base 
encryption  public- key  is  a  tuple  x  G  Zj  as  before,  however  Evalct  produces  ciphertexts  encrypted 
under  the  public  key  (/(x),  (/))  where  /(x)  6  Z9  and  (/)  is  an  encoding  of  the  circuit  computing 
/.  Transforming  a  ciphertext  c  from  the  public  key  x  to  (/(x),  (/))  is  done  using  algorithm 
Evalct(/,  x,  c)  — >  Cf  as  before.  To  simplify  the  notation  we  write  a  public-key  ( y ,  (/))  as  simply 
( y,f ).  The  precise  syntax  and  security  requirements  for  key-homomorphic  public- key  encryption 
are  provided  in  Section  3. 

To  build  an  ABE  we  simply  publish  the  parameters  of  the  key-homomorphic  PKE  system.  A 
message  g  is  encrypted  with  attribute  vector  x  =  (aq, . . .  ,xg)  £  Zq  that  serves  as  the  public  key. 
Let  c  be  the  resulting  ciphertext.  Given  an  arithmetic  circuit  /,  the  key-homomorphic  property 
lets  anyone  transform  c  into  an  encryption  of  g  under  key  (/(x),  /).  The  point  is  that  now  the 
secret  key  for  the  function  /  can  simply  be  the  decryption  key  for  the  public- key  (0,/).  This  key 
enables  the  decryption  of  c  when  /(x)  =  0  as  follows:  the  decryptor  first  uses  Evalct(/,  x,  c)  — >  c y 
to  transform  the  ciphertext  to  the  public  key  (/(x),  /).  It  can  then  decrypt  cy  using  the  decryption 
key  it  was  given  whenever  /(x)  =  0.  We  show  that  this  results  in  a  secure  ABE. 

A  construction  from  learning  with  errors.  Fix  some  n  £  Z+,  prime  q,  and  m  =  0(nlogg). 
Let  A,  G  and  Bi, . . .  ,  By  be  matrices  in  Z”xm  that  will  be  part  of  the  system  parameters.  To 
encrypt  a  message  g  under  the  public  key  x  =  (x\ . . . .  ,xg)  £  Z^  we  use  a  variant  of  dual  Regev 
encryption  [Reg05,  GPV08]  using  the  following  matrix  as  the  public  key: 

(A  |  xi G  +  Bi  |  •  •  •  |  aqG  +  By)  £  Z”x^+1)m  (1) 

We  obtain  a  ciphertext  cx .  We  note  that  this  encryption  algorithm  is  the  same  as  encryption  in  the 
hierarchical  IBE  system  of  [ABB10]  and  encryption  in  the  predicate  encryption  for  inner-products 
of  [AFV11], 

We  show  that,  remarkably,  this  system  is  key-homomorphic:  given  a  function  /  :  — >  Zg 

computed  by  a  poly-size  arithmetic  circuit,  anyone  can  transform  the  ciphertext  cx  into  a  dual 
Regev  encryption  for  the  public-key  matrix 

(A  |  /(x)-G  +  By)  £  Z”x2m 

where  the  matrix  B  y  £  Z”xm  serves  as  the  encoding  of  the  circuit  for  the  function  /.  This  By  is 
uniquely  determined  by  /  and  Bi, . . . ,  By.  The  work  needed  to  compute  By  is  proportional  to  the 
size  of  the  arithmetic  circuit  for  /. 

To  illustrate  the  idea,  assume  that  we  have  the  ciphertext  under  the  public  key  ( x,y ):  cx  = 
(co  |  cx  |  Cy).  Here  Co  =  Ars  +  e,  cx  =  (xG  +  Bi)Ts  +  ei  and  cy  =  (yG  +  B2)Ts  +  e2.  To  compute 
the  ciphertext  under  the  public  key  ( x  +  y,  B+)  one  takes  the  sum  of  the  ciphertexts  cx  and  cy. 
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The  result  is  the  encryption  under  the  matrix 

(x  +  y)  G  +  (B1+B2)6Z;xm 

where  B+  =  Bi  +  B2.  One  of  the  main  contributions  of  this  work  is  a  novel  method  of  multiplying 
the  public  keys.  Together  with  addition,  described  above,  this  gives  full  key-homomorphism.  To 
construct  the  ciphertext  under  the  public  key  (xy,  Bx),  we  first  compute  a  small- norm  matrix 
R  e  Z™xm,  s.t.  GR  =  —  Bi.  With  this  in  mind  we  compute 

RTC y  =  R7  •  [(yG  +  B2)Ts  +  e2]  «  (-yBi  +  B2R)Ts,  and 
y-cx  =  y  [(i'G  +  Bi)ts  +  ei]  «  (. xyG  +  yBi)Ts 

Adding  the  two  expressions  above  gives  us 

(xy  G  +  B2R)ts  +  noise 

which  is  a  ciphertext  under  the  public  key  ( xy ,  Bx)  where  Bx  =  B2R.  Note  that  performing  this 
operation  requires  that  we  know  y.  This  is  the  reason  why  this  method  gives  an  ABE  and  not 
(private  index)  predicate  encryption.  In  Section  4.1  we  show  how  to  generalize  this  mechanism  to 
arithmetic  circuits  with  arbitrary  fan-in  gates. 

As  explained  above,  this  key-homomorphism  gives  us  an  ABE  for  arithmetic  circuits:  the  public 
parameters  contain  random  matrices  Bi, . . . ,  Bf  E  Z”xm  and  encryption  to  an  attribute  vector  x  in 

is  done  using  dual  Regev  encryption  to  the  matrix  (1).  A  decryption  key  sky  for  an  arithmetic 
circuit  /  :  Z7  — »•  Z?  is  a  decryption  key  for  the  public- key  matrix  (A  |  0  •  G  +  By)  =  (AjBy).  This 
key  enables  decryption  whenever  /(x)  =  0.  The  key  sky  can  be  easily  generated  using  a  short  basis 
for  the  lattice  A^-(A)  which  serves  as  the  master  secret  key. 

We  prove  selective  security  from  the  learning  with  errors  problem  (LWE)  by  using  another 
homomorphic  property  of  the  system  implemented  in  an  algorithm  called  Evals;m.  Using  Evalsim  the 
simulator  responds  to  the  adversary’s  private  key  queries  and  then  solves  the  given  LWE  challenge. 

Parameters  and  performance.  Applying  algorithm  Evalct(/,  x,  c)  to  a  ciphertext  c  increases 
the  magnitude  of  the  noise  in  the  ciphertext  by  a  factor  that  depends  on  the  depth  of  the  circuit 
for  /.  A  A;- way  addition  gate  (g+)  increases  the  norm  of  the  noise  by  a  factor  of  O(km).  A  k- way 
multiplication  gate  (gx)  where  all  (but  one)  of  the  inputs  are  in  [— p,p]  increases  the  norm  of  the 
noise  by  a  factor  of  0(pk^1m).  Therefore,  if  the  circuit  for  /  has  depth  d,  the  noise  in  c  grows  in 
the  worst  case  by  a  factor  of  0((pk~1m)d).  Note  that  the  weights  ay  used  in  the  gates  g+  and  gx 
have  no  effect  on  the  amount  of  noise  added. 

For  decryption  to  work  correctly  the  modulus  q  should  be  slightly  larger  than  the  noise  in  the 
ciphertext.  Hence,  we  need  q  on  the  order  of  Q(B  ■  (pk~1m)d)  where  B  is  the  maximum  magnitude 
of  the  noise  added  to  the  ciphertext  during  encryption.  For  security  we  rely  on  the  hardness  of 
the  learning  with  errors  (LWE)  problem,  which  requires  that  the  ratio  q/ B  is  not  too  large.  In 
particular,  the  underlying  problem  is  believed  to  be  hard  even  when  q/B  is  for  some  fixed 
0  <  e  <  1/2.  In  our  settings  q/B  =  Q((pk~1m)d) .  Then  to  support  circuits  of  depth  t( A)  for 
some  polynomial  t(-)  we  choose  n  such  that  n  >  t(A)^1/^  •  (21og2n  +  k  logy?)1/6,  set  q  =  2^n<:\ 
rn  =  0(nlogg),  and  the  LWE  noise  bound  to  B  =  0(n).  This  ensures  correctness  of  decryption 
and  hardness  of  LWE  since  we  have  Q((pkm)t^'1)  <  q  <  2^n^,  as  required.  The  ABE  system 
of  [GVW13]  uses  similar  parameters  due  to  a  similar  growth  in  noise  as  a  function  of  circuit  depth. 
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Secret  key  size.  A  decryption  key  in  our  system  is  a  single  2m  x  m  low-norm  matrix,  namely 
the  trapdoor  for  the  matrix  (AjBf).  Since  m  =  @(n  log  q )  and  log2  q  grows  linearly  with  the  circuit 
depth  d,  the  overall  secret  key  size  grows  as  0(d2)  with  the  depth.  In  previous  ABE  systems  for 
circuits  [GVW13,  GGH+13c]  secret  keys  grew  as  0(d2s)  where  s  is  the  number  of  boolean  gates  or 
wires  in  the  circuit. 

Other  related  work.  Predicate  encryption  [BW07,  KSW08]  provides  a  stronger  privacy  guaran¬ 
tee  than  ABE  by  additionally  hiding  the  attribute  vector  x.  Predicate  encryption  systems  for  inner 
product  functionalities  can  be  built  from  bilinear  maps  [KSW08]  and  LWE  [AFV11].  More  recently, 
Garg  et  al.  [GGH+13b]  constructed  functional  encryption  (which  implies  predicate  encryption)  for 
all  polynomial-size  functionalities  using  indistinguishability  obfuscation. 

The  encryption  algorithm  in  our  system  is  similar  to  that  in  the  hierarchical-IBE  of  Agrawal, 
Boneh,  and  Boyen  [ABB  10].  We  show  that  this  system  is  key- homomorphic  for  polynomial-size 
arithmetic  circuits  which  gives  us  an  ABE  for  such  circuits.  The  first  hint  of  the  key  homo¬ 
morphic  properties  of  the  [ABB10]  system  was  presented  by  Agrawal,  Freeman,  and  Vaikun- 
tanathan  [AFV11]  who  showed  that  the  system  is  key- homomorphic  with  respect  to  low- weight 
linear  transformations  and  used  this  fact  to  construct  a  (private  index)  predicate  encryption  system 
for  inner-products.  To  handle  high- weight  linear  transformations  [AFV11]  used  bit  decomposition 
to  represent  the  large  weights  as  bits.  This  expands  the  ciphertext  by  a  factor  of  log2  q,  but  adds 
more  functionality  to  the  system.  Our  ABE,  when  presented  with  a  circuit  containing  only  lin¬ 
ear  gates  (i.e.  only  g+  gates),  also  provides  a  predicate  encryption  system  for  inner  products  in 
the  same  security  model  as  [AFV11],  but  can  handle  high- weight  linear  transformations  directly, 
without  bit  decomposition,  thereby  obtaining  shorter  ciphertexts  and  public-keys. 

A  completely  different  approach  to  building  circuit  ABE  was  presented  by  Garg,  Gentry,  Sahai, 
and  Waters  [GGSW13]  who  showed  that  a  general  primitive  they  named  witness  encryption  implies 
circuit  ABE  when  combined  with  witness  indistinguishable  proofs. 

2  Preliminaries 

For  a  random  variable  X  we  denote  by  x  X  the  process  of  sampling  a  value  x  according  to  the 
distribution  of  X.  Similarly,  for  a  finite  set  S  we  denote  by  x  <—  S  the  process  of  sampling  a  value 
x  according  to  the  uniform  distribution  over  S.  A  non-negative  function  n(X)  is  negligible  if  for 
every  polynomial  p( A)  it  holds  that  u(X)  <  l/p(X)  for  all  sufficiently  large  A  e  N. 

The  statistical  distance  between  two  random  variables  X  and  Y  over  a  finite  domain  Q  is  defined 
as 

SD(X,  Y)  =  ^Y^  I  Pl'[X  =  -  Prty  =  w]  |. 

Two  random  variables  X  and  Y  are  5-close  if  SD(Al,  Y)  <  5.  Two  distribution  ensembles  {AA}Agpj 
and  {TA}AeN  are  statistically  indistinguishable  if  it  holds  that  SD(AA,yA)  is  negligible  in  A.  Such 
random  variables  are  computationally  indistinguishable  if  for  every  probabilistic  polynomial-time 
algorithm  A  it  holds  that 


Pr 

A(  l\x)  =  1 

—  Pr 

A(l\y)  =  l] 

X\ 

- 

y*-Yx 

is  negligible  in  A. 
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2.1  Attribute-Based  Encryption 

An  attribute-based  encryption  (ABE)  scheme  for  a  class  of  functions  74  =  {/  :  X\  — >  34}  is  a 
quadruple  II  =  (Setup,  Keygen,  Enc,  Dec)  of  probabilistic  polynomial-time  algorithms.  Setup  takes  a 
unary  representation  of  the  security  parameter  A  and  outputs  public  parameters  mpk  and  a  master 
secret  key  msk;  Keygen(msk,  /  £  74)  output  a  decryption  key  sk /•;  Enc(mpk,  x  £  X\,  ji)  outputs 
a  ciphertext  c,  the  encryption  of  message  [i  labeled  with  attribute  vector  x;  Dec(sky,c)  outputs 
a  message  /x  or  the  special  symbol  A.  (When  clear  from  the  context,  we  drop  the  subscript  A  from 

Ax,  34  and  74.) 

Correctness.  We  require  that  for  every  circuit  /  £  74  attribute  vector  x  £  X  where  /(x)  =  0, 
and  message  [i ,  it  holds  that  Dec(skj,c)  =  /i  with  an  overwhelming  probability  over  the  choice  of 
(mpk,  msk)  £-  Setup(A),  c  4—  Enc(mpk,  x,  /x),  and  sk f  <—  Keygen(msk,  /). 

Security.  For  the  most  part,  we  consider  the  standard  notion  of  selective  security  for  ABE 
schemes  [GPSW06].  Specifically,  we  consider  adversaries  that  first  announce  a  challenge  attribute 
vector  x*,  and  then  receive  the  public  parameters  mpk  of  the  scheme  and  oracle  access  to  a  key- 
generation  oracle  KG  (msk,  x*,  /)  that  returns  the  secret  key  sk  f  for  /  £  T  if  /(x*)  A  0  and  returns 
A  otherwise.  We  require  that  any  such  efficient  adversary  has  only  a  negligible  probability  in  distin¬ 
guishing  between  the  ciphertexts  of  two  different  messages  encrypted  under  the  challenge  attribute 
x* .  Formally,  security  is  captured  by  the  following  definition. 

Definition  2.1  (Selectively-secure  ABE).  An  ABE  scheme  II  =  (Setup,  Keygen,  Enc,  Dec)  for  a 
class  of  functions  74  =  {/  :  Ax  34}  is  selectively  secure  if  for  all  probabilistic  polynomial-time 
adversaries  A  where  A  =  (Ai,  A2,  A3),  there  is  a  negligible  function  z/(A)  such  that 

AdvsnelXE(A)  =  |Pr[EXP^E,n^(A)  =  l]  -  Pr  [EXP^^A)  =  l]  |  <  i/( A), 

where  for  each  b  £  {0, 1}  and  A  £  N  the  experiment  EXP^E.n.^C^)  is  defined  as  follows: 

1.  (x*,statei)  £-  Ai(A),  where  x*  £  X\  //  A  commits  to  challenge  index  x* 

2.  (mpk,  msk)  Setup(A) 

3.  (/xo,  /A,  state2)  yl2G^msk'‘t  ’  ^(mpk,  statei)  //A  outputs  messages  (jLq,hi 

4.  c*  •£-  Enc(mpk,  x*,  Hb) 

5.  b'  •£-  AgG(-msk'‘t  ’•’(c*,  state2)  //A  outputs  a  guess  b'  for  b 

6.  Output  b'  £  {0, 1} 

where  KG(msk,  x*,f)  returns  a  secret  key  sk  f  =  Keygen(msk,  /)  if  f(x*)  A  0  and  A  otherwise. 

A  fully  secure  ABE  scheme  is  defined  similarly,  except  that  the  adversary  can  choose  the  chal¬ 
lenge  attribute  x*  after  seeing  the  master  public  key  and  making  polynomially  many  secret  key 
queries.  The  following  lemma,  attributed  to  [BB11],  says  that  any  selectively  secure  ABE  scheme 
is  also  fully  secure  with  an  exponential  loss  in  parameters. 

Lemma  2.2.  For  any  selectively  secure  ABE  scheme  with  attribute  vectors  of  length  £  =  £(X),  there 
is  a  negligible  function  z/(A)  such  that  Advn^eE(A)  <  ■  v(X). 
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2.2  Background  on  Lattices 

Lattices.  Let  q,n,m  be  positive  integers.  For  a  matrix  A  £  Z”xm  we  let  A^-(A)  denote  the 
lattice  {x  £  Zm  :  Ax  =  0  in  Z q}.  More  generally,  for  u  6  Z”  we  let  A“(A)  denote  the  coset 
{x  £  Zm  :  Ax  =  u  in  Zg}. 

We  note  the  following  elementary  fact:  if  the  columns  of  Ta  £  Zmxm  are  a  Qf  the  lattice 
A^-(A),  then  they  are  also  a  basis  for  the  lattice  A^-(xA)  for  any  nonzero  x  £  7Lq. 

Learning  with  errors  (LWE)  [Reg05].  Fix  integers  n,m ,  a  prime  integer  q  and  a  noise  dis¬ 
tribution  x  over  Z.  The  ( n ,  m,  g,  x)-LWE  problem  is  to  distinguish  the  following  two  distributions: 

(A,  Ats  +  e)  and  (A,  u) 

where  A  <—  Z”xm,  s  •(—  Z”,  e  <—  u  £-  Z™  are  independently  sampled.  Throughout  the  paper 
we  always  set  m  =  0(nlogg)  and  simply  refer  to  the  (n,  q,  x)-LWE  problem. 

We  say  that  a  noise  distribution  %  is  B-bounded  if  its  support  is  in  [-B,  B\.  For  any  fixed  d  >  0 
and  sufficiently  large  g,  Regev  [Reg05]  (through  a  quantum  reduction)  and  Peikert  [Pei09]  (through 
a  classical  reduction)  show  that  taking  x  as  a  certain  g/nrf-bounded  distribution,  the  (n,  q,  x)-LWE 
problem  is  as  hard  as  approximating  the  worst-case  GapSVP  to  n° ^  factors,  which  is  believed  to 
be  intractable.  More  generally,  let  %max  <  q  be  the  bound  on  the  noise  distribution.  The  difficulty 
of  the  LWE  problem  is  measured  by  the  ratio  g/xmax-  This  ratio  is  always  bigger  than  1  and  the 
smaller  it  is  the  harder  the  problem.  The  problem  appears  to  remain  hard  even  when  q/x max  <  2n£ 
for  some  fixed  e  £  (0, 1/2). 

Matrix  norms.  For  a  vector  u  we  let  ||u||  denote  its  I2  norm.  For  a  matrix  R  £  Zfcxm,  let  R  be 
the  result  of  applying  Gram-Schmidt  (GS)  orthogonalization  to  the  columns  of  R.  We  define  three 
matrix  norms: 

•  1 1 R| |  denotes  the  £2  length  of  the  longest  column  of  R. 

•  ||R||cs  =  ||R||  where  R  is  the  GS  orthogonalization  of  R. 

•  || R|| 2  is  the  operator  norm  of  R  defined  as  ||R||2  =  sup 1 1 x 1 1 = 1  ||Rx||. 

Note  that  ||R||gs  <  ||R||  <  ||R||2  <  \/fc||R||  and  that  ||R  •  S||2  <  ||R||2  •  ||S||2. 

We  will  use  the  following  algorithm,  throughout  our  paper: 

BD(A)  — >  R  where  m  =  n \ log  q] :  a  deterministic  algorithm  that  takes  in  a  matrix  A  £  Z”xm 
and  outputs  a  matrix  R  £  Zgnxm,  where  each  element  a  £  Zg  that  belongs  to  the  matrix  A 

gets  transformed  into  a  column  vector  r  £  z[losq\  r  =  [ao, ...,  a[iogg]-i]T-  Here  a*  is  the  i-tli 
bit  of  the  binary  decomposition  of  a  ordered  from  LSB  to  MSB. 

Claim  2.3.  For  any  matrix  A  £  Z”xm,  matrix  R  =  BD(A)  has  the  norm  ||R||2  <  m  and  ||R7  ||2  < 
m. 
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Trapdoor  generators.  The  following  lemma  states  properties  of  algorithms  for  generating  short 
basis  of  lattices. 

Lemma  2.4.  Let  n,  m,q  >  0  be  integers  with  q  prime.  There  are  polynomial  time  algorithms  with 
the  properties  below: 

•  TrapGen(ln,  lm,  q)  — >  (A,  Ta)  ( [Ajt99,  AP09,  MP12]):  a  randomized  algorithm  that,  when 
m  =  @(nlogr/),  outputs  a  full-rank  matrix  A  £  Z”xm  and  basis  Ta  £  Zmxm  for  A^-(A)  such 
that  A  is  negl{n)-close  to  uniform  and  ||T||GS  =  ()(\/n  log  q),  with  all  but  negligible  probability 
in  n. 

•  Extend Right( A,  Ta,  B)  — >  T(a|B)  ([CHKP10]):  a  deterministic  algorithm  that  given  full- 
rank  matrices  A,B  £  Z”xm  and  a  basis  Ta  of  A^-(A)  outputs  a  basis  T(A|b)  o/A^-(A|B) 
such  that  ||Ta||gs  =  ||T(a|b) ||gs* 

•  ExtendLeft(A,  G,  Tg,  S)  — >  Th  where  H  =  (A  |  G  +  AS)  ([ABB10]):  a  deterministic 
algorithm  that  given  full-rank  matrices  A,  G  £  Z”xm  and  a  basis  Tq  of  A^-(G)  outputs  a 
basis  Th  of  A^-(H)  such  that  1 1 T h 1 1 gs  <  ||Tg||gs  ■  (1  +  ||S||2). 

•  For  m  =  n[logg]  there  is  a  fixed  full-rank  matrix  G  £  Z”xm  s.t.  the  lattice  A^-(G)  has  a 
publicly  known  basis  Tg  £  Zmxm  with  | j  T g  1 1  gs  <  \/5.  The  matrix  G  is  such  that  for  any 
matrix  A  £  Z”  xm,  G  •  BD(A)  =  A. 

To  simplify  the  notation  we  will  always  assume  that  the  matrix  G  from  part  4  of  Lemma  2.4  has 
the  same  width  m  as  the  matrix  A  output  by  algorithm  TrapGen  from  part  1  of  the  lemma.  We 
do  so  without  loss  of  generality  since  G  can  always  be  extended  to  the  size  of  A  by  adding  zero 
columns  on  the  right  of  G. 

Discrete  Gaussians.  Regev  [Reg05]  defined  a  natural  distribution  on  A” (A)  called  a  discrete 
Gaussian  parameterized  by  a  scalar  a  >  0.  We  use  Va(Ag(A))  to  denote  this  distribution.  For  a 
random  matrix  A  £  Z”xm  and  a  =  Ll(^/n),  a  vector  x  sampled  from  Va(A™(A))  has  ii  norm  less 
than  (jyjrn  with  probability  at  least  1  —  negl(m). 

For  a  matrix  U  =  (ui|  •  •  •  |ufc)  £  Z™xfc  we  let  T>a( A^(A))  be  a  distribution  on  matrices  in  Zmxfe 
where  the  i-tli  column  is  sampled  from  P0.(A“*(A))  independently  for  i  =  1, . . . ,  k.  Clearly  if  R  is 
sampled  from  V„(A^ (A))  then  AR  =  U  in  Z9. 

Lemma  2.5.  For  integers  n,m,k,q,a  >  0,  matrices  A  £  Z”xm  and  U  £  Z™xfc,  if  R  £  Zmxfc  is 
sampled  from  P<T(A^J(A))  and  S  is  sampled  uniformly  in  {±l}mxm  then 

1 1  Rt  1 1  2  <  a\fmk  ,  || R|| 3  <  a\/mk  ,  ||S||2  <  20 \fm 

with  overwhelming  probability  in  m. 

Proof.  For  the  {±1}  matrix  S  the  lemma  follows  from  Litvak  et  al.  [LPRTJ05]  (Fact  2.4).  For  the 
matrix  R  the  lemma  follow  from  the  fact  that  ||Rt  || 2  <  Vk  ■  1 1 R| |  <  v/fe((jy/rn).  □ 
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Solving  AX  =  U.  We  review  algorithms  for  finding  a  low-norm  matrix  X  6  Zmxfc  such  that 

AX  =  U. 

Lemma  2.6.  Let  A  €  Z™xm  and  Ta  G  Zmxm  be  a  basis  for  A^(A).  Let  U  G  Z”xfc.  There  are 
polynomial  time  algorithms  that  output  X  G  Zmxfc  satisfying  AX  =  U  with  the  properties  below: 

•  SampleD(A,  Ta,  U,  a)  — >  X  ([GPV08]):  a  randomized  algorithm  that,  when  a  =  ||Ta||gs  ■ 
o;(v/log  m),  outputs  a  random  sample  X  from  a  distribution  that  is  statistically  close  to 
D„(A»(A)). 

•  RandBasis(A,  Ta,  u)  — >  TA  ([CHKP10]):  a  randomized  algorithm  that,  when  a  =  ||Ta||gs  ■ 

w(vTogm),  outputs  a  basis  TA  of  (A)  sampled  from  a  distribution  that  is  statistically  close 

to  {Va(A^- (A)))m .  Note  that  ||TA||GS  <  0\[m  with  all  but  negligible  probability. 

Randomness  extraction.  We  conclude  with  a  variant  of  the  left-over  hash  lemma  from  [ABB  10] . 

Lemma  2.7.  Suppose  that  m  >  (n  + 1)  log2  q+u(logn)  and  that  q  >  2  is  prime.  Let  S  be  an  mxk 
matrix  chosen  uniformly  in  {1,— l}mxfc  mod  q  where  k  =  k(n)  is  polynomial  in  n.  Let  A  and  B 
be  matrices  chosen  uniformly  in  Z”xm  and  Z”xfc  respectively.  Then,  for  all  vectors  e  in  Z™,  the 
distribution  (A,  AS,  STe)  is  statistically  close  to  the  distribution  (A,  B,  STe). 

Note  that  the  lemma  holds  for  every  vector  e  in  Z”\  including  low  norm  vectors. 

Additional  algorithms  Throughout  the  paper  we  will  use  the  following  algorithms: 

Lemma  2.8.  •  SampleRight(A,  Ta,  B,  U,  a)  :  a  randomized  algorithm  that  given  full-rank  ma¬ 

trices  A.B  G  Z™xm,  matrix  U  G  Z”xm,  a  basis  Ta  of  A^-(A)  and  a  =  ||Ta||gs  ■  w(\Aogm), 
outputs  a  random  sample  X  G  Zgmxm  from  a  distribution  that  is  statistically  close  to  Pcr(AjJ((AjB))). 
This  algorithm  is  the  composition  of  two  algorithms:  ExtendRight(A,  Ta,  B)  — >  T(A|B)  and 
SampleD((A|B),  T(A|b),  U,  cr)  — >  X. 

•  SampleLeft(A,  S,  y,  U,  a)  :  a  randomized  algorithm  that  given  full-rank  matrix  A  G  Z”xm.  ma¬ 
trices  S,  U  G  Z”xm,  y  /  0  G  Zg  and  a  =  \/b-  (1  +  ||S||2) ■w(v^ogm),  outputs  a  random  sample 
X  G  Z^mxm  from  a  distribution  that  is  statistically  close  to  T,CT(AjJ((A|yG  +  AS))),  where 
G  is  the  matrix  from  Lemma  2.f,  part  f.  This  algorithm  is  the  composition  of  two  algorithms: 
ExtendLeft(A,yG,TG,S)  — >  T(A|yG+AS)  ond  SampleD((A|j/G+ AS),  T(A|,,g+as)>  U,<t)  — > 

X 

2.3  Multilinear  Maps 

Assume  there  exists  a  group  generator  Q  that  takes  the  security  parameter  1A  and  the  pairing 
bound  k  and  outputs  groups  G±, . . . ,  Gk  each  of  large  prime  order  q  >  2X.  Let  g,  be  the  generator 
of  group  G{  and  let  g  =  g\.  In  addition,  the  algorithm  outputs  a  description  of  a  set  of  bilinear 
maps: 

{&ij  ■  Gi  x  Gj  — >  Gi+j  |  i,j  >  l,i  +  j  <  k\ 

satisfying  e.tj (gf ,  gj)  =  g?+j  for  all  a,  b  G  Zg.  We  sometimes  omit  writing  e.tj  and  for  convince  simply 
use  e  as  the  map  descriptor. 
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Definition  2.9.  [(k,  ^-Multilinear  Diffie-Hellman  Exponent  Assumption]  The  challenger  runs  Q{1  x,k) 
to  generate  groups  G\, . . .  ,Gf.,  generators  gi,...,gk  and  the  map  descriptions  e^.  Next,  it  picks 
ci,C2, . .  -  ,Cfc  G  Z q  at  random.  The  (/c,  t')-MDHE  problem  is  hard  if  no  adversary  can  distinguish 
between  the  following  two  experiments  with  better  than  negligible  advantage  in  A: 


(9C 


J+ 2 

,g  1  , 


gc>  ,gc\,,.,gc\>8  =  gkL 


n2 


and 


(s' 


Cl 


■  ,gCl, 


J+ 2 

,9  1  » 


r2i 

■  ■ , a  1  ,g 


cr  n%,,.,gc*,/3) 


where  (3  is  a  randomly  chosen  element  in  G *.. 


We  note  that  if  k  =  2,  then  this  corresponds  exactly  to  the  bilinear  Diffie-Hellman  Exponent 

°e+1  n  °i 

Assumption  (BDHE).  Also,  is  easy  to  compute  gf'  2<*<fe-1  !  by  repeated  pairing  of  the  challenge 
components. 


3  Fully  Key-Homomorphic  PKE  (FKHE) 

Our  new  ABE  constructions  are  a  direct  application  of  fully  key-homomorphic  public-key  encryption 
(FKHE),  a  notion  that  we  introduce.  Such  systems  are  public- key  encryption  schemes  that  are 
homomorphic  with  respect  to  the  public  encryption  key.  We  begin  by  precisely  defining  FKHE  and 
then  show  that  a  key-policy  ABE  with  short  keys  arises  naturally  from  such  a  system. 

Let  {TxIaen  and  {TaIasN  be  sequences  of  finite  sets.  Let  {Ta}asn  be  a  sequence  of  sets  of 
functions,  namely  J-\  =  {/  :  X(  — >  Ta}  f°r  some  l  >  0.  Public  keys  in  an  FKHE  scheme  are  pairs 
(x,  /)  G  Ta  x  J~\.  We  call  x  the  “value”  and  /  the  associated  function.  All  such  pairs  are  valid 
public  keys.  We  also  allow  tuples  x  G  X,  to  function  as  public  keys.  To  simplify  the  notation  we 
often  drop  the  subscript  A  and  simply  refer  to  sets  X,  y  and  T . 

In  our  constructions  we  set  X  =  7Lq  for  some  q  and  let  T  be  the  set  of  Kvariate  functions  on  7Lq 
computable  by  polynomial  size  arithmetic  circuits. 

Now,  an  FKHE  scheme  for  the  family  of  functions  T  consists  of  five  PPT  algorithms: 

•  SetupFKHE(lA)  — >  (mpkFKHE,  mskPKHE)  :  outputs  a  master  secret  key  mskFKHE  and  public  pa¬ 
rameters  mpkFKHE. 

•  KeyGenFKHE  (mskPKHE,  (y, /))  -»  sk yj  :  outputs  a  decryption  key  for  the  public  key  (y,f)  G 

y  x  t. 

•  EFKHE(mpkFKHE,  x  G  g)  — >  cx  :  encrypts  message  /j  under  the  public  key  x. 

•  Eva  I  :  a  deterministic  algorithm  that  implements  key-homomorphism.  Let  c  be  an  encryption 
of  message  /j  under  public  key  x  G  X(.  For  a  function  /  :  Xf  — >•  y  G  T  the  algorithm  does: 

Eval  (/,  x,  c)  — >  c f 

where  if  y  =  f(x i, . . . ,  xg)  then  Cf  is  an  encryption  of  message  /j  under  public- key  (y,  /). 

•  DFKHE(skyj,  c)  :  decrypts  a  ciphertext  c  with  key  sk^j.  If  c  is  an  encryption  of  //  under  public 
key  (x,g)  then  decryption  succeeds  only  when  x  =  y  and  /  and  g  are  identical  arithmetic 
circuits. 
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Algorithm  Eva  I  captures  the  key- homomorphic  property  of  the  system:  ciphertext  c  encrypted  with 
key  x  =  (x\, . . . ,  xg)  is  transformed  to  a  ciphertext  cy  encrypted  under  key  (f(x i, . . . ,  xg),  /) . 

Correctness.  The  key-homomorphic  property  is  stated  formally  in  the  following  requirement: 
For  all  (mpkFKHE,  mskFKHE)  output  by  Setup,  all  messages  /./,  all  /  GJ,  and  x  =  (x\, . . .  ,xg)  £  X(: 

If  c^EFKHE(mpkFKHE,  xG^,  /i),  y  =  f(xi,...,xg), 
cf  =  Eval(/,  x,  c),  sk  ^  KeyGenFKHE(mskFKHE,  (y,/)) 

Then  DFKHE(sk,cy)  =  /j. 

An  ABE  from  a  FKHE.  A  FKHE  for  a  family  of  functions  T  =  {/  :  X1  — >  T}  immediately 
gives  a  key-policy  ABE.  Attribute  vectors  for  the  ABE  are  f-tuples  over  X  and  the  supported 
key-policies  are  functions  in  T .  The  ABE  system  works  as  follows: 

•  Setup(lA,f)  :  Run  SetupFKHE(lA)  to  get  public  parameters  mpk  and  master  secret  msk.  These 
function  as  the  ABE  public  parameters  and  master  secret. 

•  Keygen(msk,  /)  :  Output  sky  £-  KeyGenFKHE(mskFKHE,  (0 ,/)). 

Jumping  ahead,  we  remark  that  in  our  FKHE  instantiation  (in  Section  4),  the  number  of  bits 
needed  to  encode  the  function  /  in  sky  depends  only  on  the  depth  of  the  circuit  computing 
/,  not  its  size.  Therefore,  the  size  of  sky  depends  only  on  the  depth  complexity  of  /. 

•  Enc(mpk,  x  £  A  ,  ji)  :  output  (x,  c)  where  c  <—  EFKHE(mpkFKHE>  xi  A1)- 

•  Dec(sky,  (x,  c))  :  if  /(x)  =  0  set  cy  =  Eval(/,  x,  c)  and  output  the  decrypted  answer 

DFKHE(sky,  Cy). 

Note  that  cy  is  the  encryption  of  the  plaintext  under  the  public  key  (/(x),  /).  Since  sky  is 
the  decryption  key  for  the  public  key  (0,/),  decryption  will  succeed  whenever  /(x)  =  0  as 
required. 

The  security  of  FKHE  systems.  Security  for  a  fully  key-homomorphic  encryption  system  is 
defined  so  as  to  make  the  ABE  system  above  secure.  More  precisely,  we  define  security  as  follows. 

Definition  3.1  (Selectively-secure  FKHE).  A  fully  key  homomorphic  encryption  scheme  n  = 
(SetupFKHE,  KeyGenFKHE,  EFkhe,  Eva I)  for  a  class  of  functions  J-\  =  {/  :  X^X>  — y  Ta}  is  selectively 
secure  if  for  all  p.p.t.  adversaries  A  where  A  =  (Ai,A2,As),  there  is  a  negligible  function  u(X) 
such  that 

Adv^E(A)  =  |Pr[EXP®„E.n^(A)  =  l]  -  Pr  [EXP^^A)  =  l]  |  <  ^(A), 

where  for  each  b  £  {0, 1}  and  A  £  N  the  experiment  EXPpEEE  n  ^(A)  is  defined  as: 

1.  (x*  £  X^x\  statei)  <—  Ai(A) 

2.  (mpkFKHE,  mskFKHE)  SetupFKHE(A) 

3.  (no,  m,  state2)  £- A2GKH(mskFKHE"T  5  ' ( m pkFKHE ,  statei) 
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4.  C  i  Epp<|-|E (mpkFKHE,  i  Mb) 

5.  b'  •<—  _4^GKH(mskFKHf’>x  ’"’^(c*,  state2)  //  A  outputs  a  guess  b'  for  b 

6.  output  b'  £  {0, 1} 

where  KGKH(mskPKHE,x*,  y,  f)  is  an  oracle  that  on  input  /  £  J  and  y  £  Taj  returns  _L  whenever 
/(x*)  =  y,  and  otherwise  returns  KeyGenFKHE(mskFKHB,  (y,  /))• 

With  Definition  3.1  the  following  theorem  is  now  immediate. 

Theorem  3.2.  The  ABE  system  above  is  selectively  secure  provided  the  underlying  FKHE  is  se¬ 
lectively  secure. 

4  An  ABE  and  FKHE  for  arithmetic  circuits  from  LWE 

We  now  turn  to  building  an  FKHE  for  arithmetic  circuits  from  the  learning  with  errors  (LWE) 
problem.  This  directly  gives  an  ABE  with  short  private  keys  as  explained  in  Section  3.  Our 
construction  follows  the  key-homomorphism  paradigm  outlined  in  the  introduction. 

For  integers  n  and  q  =  q(n)  let  m  =  0(nlogq).  Let  G  £  Z ”xm  he  the  fixed  matrix  from 
Lemma  2.4  (part  4).  For  x  £  Zg,  B  £  Z”xm,  s  £  Z”,  and  6  >  0  define  the  set 

ES)s(x,  B)  =  {(xG  +  B)Ts  +  e  £Z“  where  ||e||  <  <5} 

For  now  we  will  assume  the  existence  of  three  efficient  deterministic  algorithms  Evalpk,  Evalct,  Evalsjm 
that  implement  the  key-homomorphic  features  of  the  scheme  and  are  at  the  heart  of  the  construc¬ 
tion.  We  present  them  in  the  next  section.  These  three  algorithms  must  satisfy  the  following  prop¬ 
erties  with  respect  to  some  family  of  functions  T  =  {/  :  (Zg)£  — >  Zg}  and  a  function  a.T  :  Z  — >  Z. 

•  Evalpk(  feF,  B  £  (Z£xmf  )  — >  By  £  Z£xm. 

•  Eva  let  (  /  £  E,  ((xi,  Bj,  Cj))^=1  )  — »  cf  £  Z™.  Here  Xi  £  Zq,  B;  £  Z”xm  and 
c i  £  Ea>s(xi,'Bi)  for  some  s  £  Z™  and  6  >  0.  Note  that  the  same  s  is  used  for  all  c.;.  The 
output  Cf  must  satisfy 

c/£Es,a(/(x).B/)  where  Bf  =  Evalpk(/,  (Bi, , . . ,  B*)) 

and  x  =  (.xi, . . .  ,Xf).  We  further  require  that  A  <  5  ■  ar(n)  for  some  function  aT(n)  that 
measures  the  increase  in  the  noise  magnitude  in  cj  compared  to  the  input  ciphertexts. 

This  algorithm  captures  the  key-homomorphic  property:  it  translates  ciphertexts  encrypted 
under  public-keys  {xj}i= i  into  a  ciphertext  cj  encrypted  under  public- key  (/(x),/). 

•  Evalsim(  /  £  E,  ((x*,  Si))ei=v  A)  — >  S/  £  Z“.  Here  x*  £  Z,  and  S*  £  Z™xm.  With 
x*  =  (aff, . . . ,  x*n ),  the  output  S /  satisfies 

AS/-/(x*)G  =  B/  where  Bf  =  Evalpk(/,  (ASi  -  x\G, . . . ,  AS£  -  x}G))  . 

We  further  require  that  for  all  /  £  J-,  if  Si, . . . ,  are  random  matrices  in  {±l}mxm  ^hen 
||  Sf  ||  2  <  a!jr(n)  with  all  but  negligible  probability. 
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Definition  4.1.  The  deterministic  algorithms  (EvalpE,  Evalct,  Evals;m)  are  aT -FKHE  enabling  for 
some  family  of  functions  T  =  {/  :  (Zg)£  — >  Zg}  if  there  are  functions  q  =  q(n)  and  aT  =  aT (n)  for 
which  the  properties  above  are  satisfied. 

We  want  a^-FKHE  enabling  algorithms  for  a  large  function  family  T  and  the  smallest  possible 
ctj t.  In  the  next  section  we  build  these  algorithms  for  polynomial-size  arithmetic  circuits.  The 
function  ajr(n)  will  depend  on  the  depth  of  circuits  in  the  family. 

The  FKHE  system.  Given  FKHE-enabling  algorithms  (Evalpk,  Evalct,  Evalsim)  for  a  family  of 
functions  T  =  {/  :  (Z9)^  — >  Zq}  we  build  an  FKHE  for  the  same  family  of  functions  T .  We  prove 
selective  security  based  on  the  learning  with  errors  problem. 

•  Parameters  :  Choose  n  and  q  =  q(n)  as  needed  for  (EvalpE,  Evalct,  Evalsim)  to  be  aT -FKHE 
enabling  for  the  function  family  T .  In  addition,  let  %  be  a  xmax-bounded  noise  distribution 
for  which  the  (n,  q.  y)-LWE  problem  is  hard  as  discussed  in  Appendix  2.2.  As  usual,  we  set 
m  =  0(n  log  q). 

Set  a  =  uj(aT  •  \/log  m).  We  instantiate  these  parameters  concretely  in  the  next  section. 

For  correctness  of  the  scheme  we  require  that  a2  •  m  <  ■  ( q/Xm ax)  and  aT  >  \Jn  log  m.  . 

•  SetupFKHE(lA)  — >  (mpkFKHE,  mskFKHB)  :  Run  algorithm  TrapGen(ln,  lm,  q)  from  Lemma  2.4 
(part  1)  to  generate  (A,  Ta)  where  A  is  a  uniform  full-rank  matrix  in  Z”xm. 

Choose  random  matrices  D,  Bi, . . . ,  BF  6  Z”xm  and  output  a  master  secret  key  mskFKHE  and 
public  parameters  m  pkFKHE : 

mPkFKHE  =  (A,D,Bi, . . .  ,B£)  ;  mskFKHE  =  (Ta) 

•  KeyGenFKHE(mskFKHE,  (y,  /))  skyj  :  Let  B  f  =  Eval pk(/,  (Bi, . . . ,  B£)). 

Output  sk yj  :=  R f  where  Rj  is  a  low-norm  matrix  in  Z2mxm  sampled  from  the  discrete 
Gaussian  distribution  'Da(A^> (A[yG  +  Bj))  so  that  (A|yG  +  Bj)  •  R f  =  D. 

To  construct  R/  run  algorithm  SampleRight(A,  Ta,  yG  +  By,  D,  a)  from  Lemma  2.8,  part  1. 
Here  o  is  sufficiently  large  for  algorithm  SampleRight  since  a  =  1 1 T a 1 1 gs  ■  w(\/log m),  where 
II  Ta  ||GS  =  0{y/n  log  q). 

Note  that  the  secret  key  sk yj  is  always  in  Z2mxm  independent  of  the  complexity  of  the 
function  /.  We  assume  sky j  also  implicitly  includes  mpkFKHB. 

•  EFKHE(mpkFKHB,  x  €  fij  — >  cx  :  Choose  a  random  n  dimensional  vector  s  ■(—  Z”  and 
error  vectors  eo,ei  <—  ym.  Choose  l  uniformly  random  matrices  S*  4—  j±l}mxm  for  i  E  \l\. 
Set  H  E  Zngx{e+1)m  and  e  E  Z?+1)m  as 

H  =  (A  |  xiG  +  Bi  |  •  •  •  |  xfG  +  Bf)  e  Z£x^+1)m 
e  =  (Im|Si|...|S£)T-e0  e  Z^+1)m 

Let  cx  =  (Hts  +  e,  D1  s  +  eF  +  \q/2\fj)  E  Z q+^"1 .  Output  the  ciphertext  cx. 
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•  DpKHE(skyj,  c)  :  Let  c  be  the  encryption  of  p  under  public  key  (. x,g ).  If  x  A  y  or  /  and  g 
are  not  identical  arithmetic  circuits,  output  _L.  Otherwise,  let  c  =  (cjn,  Ci, . . . ,  c^,  cout)  6 

Set  c f  =  Evalct  (/,  {(xj,  Bj,  Cj)}|=1)  G  Z™. 

Let  c'y  =  (cm|c/)  G  Z2m  and  output  Round(cont  —  RJc^-)  G  {0,  l}m. 

This  completes  the  description  of  the  system. 

Correctness.  The  correctness  of  the  scheme  follows  from  our  choice  of  parameters  and,  in  par¬ 
ticular,  from  the  requirement  ■  m  <  •  (q/x max)-  Specifically,  to  show  correctness,  first  note 

that  when  /(x)  =  y  we  know  by  the  requirement  on  Evalct  that  c f  is  in  ESt/\(y,'B  f)  so  that 
cf  =  y  G  +  Bjs  +  e  with  1 1 e 1 1  <  A.  Consequently, 

c'f  =  (cin\cf)  =  (A|yG  +  B/)Ts  +  e'  where  He'll  <  A  +  ymax  <  (aT  +  l)xmax  • 

Since  R/  G  Z2mxm  is  sampled  from  the  distribution  Vc(A^(A\yG  +  B/-))  we  know  that  (A|yG  + 
Bf)  •  R f  =  D  and,  by  Lemma  2.5,  ||Rj||2  <  2 ma  with  overwhelming  probability.  Therefore 

c out  -  R}c'j  =  (Dts  +  ei)  -  (Dts  +  Rje')  =  ei  -  R}e' 

and  ||ei  —  Rje'||  <  ymax  +  2 ma  ■  (ajr  +  l)xmax  <  3 a2T  ■  ymax  •  m  with  overwhelming  probability. 
By  the  bounds  on  aT  this  quantity  is  less  than  q/ 4  thereby  ensuring  correct  decryption  of  all  bits 
of  yU  G  {0,  l}m. 

Security.  Next  we  prove  that  our  FKHE  is  selectively  secure  for  the  family  of  functions  T  for 
which  algorithms  (Evalpk,  Evalct,  Evalsim)  are  FKHE-enabling. 

Theorem  4.2.  Given  the  three  algorithms  (Eval^,  Evalci,  Evalsjm)  for  the  family  of  functions  T ,  the 
FKHE  system  above  is  selectively  secure  with  respect  to  F,  assuming  the  ( n,q,x)-LWE  assumption 
holds  where  n,  q,  x  are  the  parameters  for  the  FKHE. 

Proof  idea.  Before  giving  the  complete  proof  we  first  briefly  sketch  the  main  proof  idea  which 
hinges  on  the  properties  of  algorithms  (Evalpk,  Evalct,  Evalsim)  and  also  employs  ideas  from  [CHKP10, 
ABB10].  We  build  an  LWE  algorithm  B  that  uses  a  selective  FKHE  attacker  A  to  solve  LWE.  B 
is  given  an  LWE  challenge  matrix  (A|D)  G  ZgX2m  and  two  vectors  cm,  cout  G  Z^n  that  are  either 
random  or  their  concatenation  equals  (A|D)Ts  +  e  for  some  small  noise  vector  e. 

A  starts  by  committing  to  the  target  attribute  vector  x  =  (x*, . . .  ,x|)  G  Vq.  In  response  B 
constructs  the  FKHE  public  parameters  by  choosing  random  matrices  S^, . . . ,  S|  in  {±l}mxm  and 

setting  Bj  =  A  S*  —  x*G.  It  gives  A  the  public  parameters  mpkFKHE  =  (A.  D.  Bj _ ,  B/).  A 

standard  argument  shows  that  each  of  A  S*  is  uniformly  distributed  in  Z”xm  so  that  all  Bj  are 
uniform  as  required  for  the  public  parameters. 

Now,  consider  a  private  key  query  from  A  for  a  function  /  G  F  and  attribute  y  G  7Lq. 
Only  functions  /  and  attributes  y  for  which  y*  =  /(x*,...,x|)  A  y  are  allowed.  Let  B f  = 
Evalpk  (/,  (Bi, . . . ,  B^)).  Then  B  needs  to  produce  a  matrix  R f  in  Z2mxm  satisfying  (AjB^-)-Rj  = 
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D.  To  do  so  B  needs  a  recoding  matrix  from  the  lattice  A^(F)  where  F  =  (A|Bj)  to  the  lattice 
A^(D).  In  the  real  key  generation  algorithm  this  short  basis  is  derived  from  a  short  basis  for  A^-(A) 
using  algorithm  SampleRight.  Unfortunately,  B  has  no  short  basis  for  A,j-(A). 

Instead,  as  explained  below,  B  builds  a  low-norm  matrix  S /  £  Z™xm  such  that  B  f  =  ASf—y*G. 
Because  y*  A  y,  algorithm  B  can  construct  the  required  key  as  R f  <—  SampleLeft(A,  Sj,  (y  — 
2/*),D,a). 

The  remaining  question  is  how  does  algorithm  B  build  a  low- norm  matrix  S j  £  Z™xm  such 
that  B f  =  AS f  —  y*G.  To  do  so  B  uses  Evalsim  giving  it  the  secret  matrices  S*.  More  precisely,  B 
runs  Evalsim(/,  ((x*,  S*))^=1,  A)  and  obtains  the  required  S f.  This  lets  B  answer  all  private  key 
queries. 

To  complete  the  proof  it  is  not  difficult  to  show  that  B  can  build  a  challenge  ciphertext  c* 
for  the  attribute  vector  x  6  Z^  that  lets  it  solve  the  given  LWE  instance  using  adversary  A.  An 
important  point  is  that  B  cannot  construct  a  key  that  decrypts  c*.  The  reason  is  that  it  cannot 
build  a  secret  key  sk yj  for  functions  where  /(x*)  =  y  and  these  are  the  only  keys  that  will  decrypt 
c*. 

Proof  of  Theorem  4.2.  The  proof  proceeds  in  a  sequence  of  games  where  the  first  game  is  iden¬ 
tical  to  the  ABE  game  from  Definition  2.1.  In  the  last  game  in  the  sequence  the  adversary  has 
advantage  zero.  We  show  that  a  PPT  adversary  cannot  distinguish  between  the  games  which  will 
prove  that  the  adversary  has  negligible  advantage  in  winning  the  original  ABE  security  game.  The 
LWE  problem  is  used  in  proving  that  Games  2  and  3  are  indistinguishable. 

Game  0.  This  is  the  original  ABE  security  game  from  Definition  2.1  between  an  attacker  A  against 
our  scheme  and  an  ABE  challenger. 

Game  1.  Recall  that  in  Game  0  part  of  the  public  parameters  mpk  are  generated  by  choosing 
random  matrices  Bi, . . . ,  B^  in  Z”xm.  At  the  challenge  phase  (step  4  in  Definition  2.1)  a  challenge 
ciphertext  c*  is  generated.  We  let  SJ, . . . ,  S|  £  {  —  1,  l}mxm  denote  the  random  matrices  generated 
for  the  creation  of  c*  in  the  encryption  algorithm  Enc. 

In  Game  1  we  slightly  change  how  the  matrices  Bi, . . . ,  Bf  are  generated  for  the  public  param¬ 
eters.  Let  x*  =  (xl, . . . ,x|)  £  Zg  be  the  target  point  that  A  intends  to  attack.  In  Game  1  the 
random  matrices  S*, . . . ,  S|  in  {±1  }mxm  are  chosen  at  the  setup  phase  (step  2)  and  the  matrices 
Bi,  ,  Be  are  constructed  as 

Bj  :=  A  S*  —  x*G  (2) 

The  remainder  of  the  game  is  unchanged. 

We  show  that  Game  0  is  statistically  indistinguishable  from  Game  1  by  Lemma  2.7.  Observe 
that  in  Game  1  the  matrices  S*  are  used  only  in  the  construction  of  B and  in  the  construction  of  the 
challenge  ciphertext  where  e  :=  (I,n|S^|  •  •  •  |S|)T  •  eo  is  used  as  the  noise  vector  for  some  eo  £  Z™. 
Let  S*  =  (S*|  •  •  •  |S|),  then  by  Lemma  2.7  the  distribution  (A,  AS*,  e)  is  statistically  close  to  the 
distribution  (A,  A',  e)  where  A'  is  a  uniform  matrix  in  Z”x"”.  It  follows  that  in  the  adversary’s 
view,  all  the  matrices  A  S*  are  statistically  close  to  uniform  and  therefore  the  Bj  as  defined  in  (2) 
are  close  to  uniform.  Hence,  the  Bj  in  Games  0  and  1  are  statistically  indistinguishable. 

Game  2.  We  now  change  how  A  in  mpk  is  chosen.  In  Game  2  we  generate  A  as  a  random  matrix 
in  Z”xm.  The  construction  of  Bi, . . . ,  B^  remains  as  in  Game  1,  namely  Bj  =  A  S*  —  x\G. 

The  key  generation  oracle  responds  to  private  key  queries  (in  steps  3  and  5  of  Definition  2.1) 
using  the  trapdoor  Tq-  Consider  a  private  key  query  for  function  /  £  T  and  element  y  £  y.  Only 
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/  such  that  y*  =  f(xl, . . .  ,  x|)  A  y  are  allowed.  To  respond,  the  key  generation  oracle  computes 
B/  =  Evalpk(/,  (Bi, . . . ,  B^))  and  needs  to  produce  a  matrix  R /  in  Z2mxm  satisfying 

(A|yG  +  Bf)  •  R/  =  D  in  Zq  . 

To  do  so  the  key  generation  oracle  does: 

•  It  runs  S /  G-  Evalsim  (/,  («,S*)).=1,  A)  and  obtains  a  low-norm  matrix  S f  E  Z™'xm  such 
that  AS/  —  y*G  =  B/.  By  definition  of  Evalsim  we  know  that  ||S/||2  <  aT. 

•  Finally,  it  responds  with  R/  =  SampleLeft(A,  S/,  y,  D,  a).  By  definition  of  SampleLeft  we 
know  that  R/  is  distributed  as  required.  Indeed  because  ||S/||2  <  ar(n),  a  =  \fb  ■  (1  + 
||S/||2)  •  u(\J\ogm)  as  needed  for  algorithm  SampleLeft  in  Lemma  2.8,  part  2. 

Game  2  is  otherwise  the  same  as  Game  1.  Since  the  public  parameters  and  responses  to  private 
key  queries  are  statistically  close  to  those  in  Game  1,  the  adversary’s  advantage  in  Game  2  is  at 
most  negligibly  different  from  its  advantage  in  Game  1. 

Game  3.  Game  3  is  identical  to  Game  2  except  that  in  the  challenge  ciphertext  (x*,  c*)  the  vector 
c*  =  (c.jn|ci|  •  •  •  \c(\cout)  E  Z ^+2')"1  is  chosen  as  a  random  independent  vector  in  Z ^+2)m.  Since  the 
challenge  ciphertext  is  always  a  fresh  random  element  in  the  ciphertext  space,  A’s  advantage  in 
this  game  is  zero. 

It  remains  to  show  that  Game  2  and  Game  3  are  computationally  indistinguishable  for  a  PPT 
adversary,  which  we  do  by  giving  a  reduction  from  the  LWE  problem. 

Reduction  from  LWE.  Suppose  A  has  non-negligible  advantage  in  distinguishing  Games  2  and  3. 
We  use  A  to  construct  an  LWE  algorithm  B. 

LWE  Instance.  B  begins  by  obtaining  an  LWE  challenge  consisting  of  two  random  matrices  A,  D 
in  Z”xm  and  two  vectors  cm ,  c out  in  Z™.  We  know  that  cm ,  cout  are  either  random  in  Z”1  or 

c  in  =  ATs  +  e0  and  cout  =  DTs  +  ei  (3) 

for  some  random  vector  s  G  Z”  and  eo,ei  G-  xm.  Algorithm  £>’s  goal  is  to  distinguish  these 
two  cases  with  non-negligible  advantage  by  using  A. 

Public  parameters.  A  begins  by  committing  to  a  target  point  x  =  (x|,...,a;|)  G  Z™  where 
it  wishes  to  be  challenged.  B  assembles  the  public  parameters  mpk  as  in  Game  2:  choose 
random  matrices  S^, . . . ,  S|  in  anc[  Set  B;  =  AS*  —  x*G.  It  gives  A  the  public 

parameters 

mpk  =  (A,D,Bi,...,B^) 

Private  key  queries.  B  answers  A’s  private-key  queries  (in  steps  3  and  5  of  Definition  2.1)  as  in 
Game  2. 

Challenge  ciphertext.  When  B  receives  two  messages  /jq ,  y  l  G  {0,  l}m  from  A,  it  prepares  a 
challenge  ciphertext  by  choosing  a  random  b  g-  {0, 1}  and  computing 

c*0  =  (Im|S*|  .  .  .  |S|)T  •  Cin  GZ[f+1>"  (4) 
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and  c*  =  (cq,  cout  +  \q/2]m,)  £  7^+2^m .  B  sends  (x*,c*)  as  the  challenge  ciphertext  to  M. 

We  argue  that  when  the  LWE  challenge  is  pseudorandom  (namely  (3)  holds)  then  c*  is 
distributed  exactly  as  in  Game  2.  First,  observe  that  when  encrypting  (x*,  /J5)  the  matrix  H 
constructed  in  the  encryption  algorithm  Enc  is 

H  =  (A  |  x^G  +  Bi  |  •  •  •  |  x}G  +  Be) 

=  (A  |  x^G  +  (AS*  -  x*G)  |  •••  |  x\G  +  (AS|  -  x*eG))  =  (A  |  ASJ  |  •  •  •  |  AS?) 

Therefore,  Cg  defined  in  (4)  satisfies: 

co  =  (Im|Si| . . .  |SF)T  •  (Ats  +  e0) 

=  (A)  AS*  |  •••  |  AS|)t  •  s  +  QySJI  •  •  •  |S^)T  •  e0  =  HTs  +  e 

where  e  =  (Im|S*|  •  •  •  |S^)T  •  eo-  This  e  is  sampled  from  the  same  distribution  as  the  noise 
vector  e  in  algorithm  Enc.  We  therefore  conclude  that  Cq  is  computed  as  in  Game  2.  Moreover, 
since  cout  =  DTs  +  eF  we  know  that  the  entire  challenge  ciphertext  c*  is  a  valid  encryption 
of  (x*,/z&)  as  required. 

When  the  LWE  challenge  is  random  we  know  that  cm  and  cout  are  uniform  in  Z™.  Therefore 

the  public  parameters  and  Cq  defined  in  (4)  are  uniform  and  independent  in  Zqf+ 1  ,m  by  a 
standard  application  of  the  left  over  hash  lemma  (e.g.  Theorem  8.38  of  [Sho08])  where  the 
universal  hash  function  is  defined  as  multiplication  by  the  random  matrix  (AT|cjn)T.  Since 
cout  is  also  uniform,  the  challenge  ciphertext  overall  is  uniform  in  Z^+2')m,  as  in  Game  3. 

Guess.  Finally,  A  guesses  if  it  is  interacting  with  a  Game  2  or  Game  3  challenger.  B  outputs  M’s 
guess  as  the  answer  to  the  LWE  challenge  it  is  trying  to  solve. 

We  already  argued  that  when  the  LWE  challenge  is  pseudorandom  the  adversary’s  view  is  as 
in  Game  2.  When  the  LWE  challenge  is  random  the  adversary’s  view  is  as  in  Game  3.  Hence, 
B's  advantage  in  solving  LWE  is  the  same  as  M’s  advantage  in  distinguishing  Games  2  and  3,  as 
required.  This  completes  the  description  of  algorithm  B  and  completes  the  proof.  ■ 

Remark  4.3.  We  note  that  the  matrix  R f  in  KeyGenFKHE  can  alternatively  be  generated  using 
a  sampling  method  from  [MP12].  To  do  so  we  choose  FKHE  public  parameters  as  we  do  in  the 
security  proof  by  choosing  random  matrices  Sj,...,S^  in  {±1  }mxm  and  setting  B,  =  AS*.  We 
then  define  the  matrix  Bf  as  B  f  :=  AS f  where  S f  =  Evals;m(/,  ((0,  Sj))|=1,  A).  We  could 
then  build  the  secret  key  matrix  sk yj  =  R f  satisfying  (A|yG  +  B f)  ■  R f  =  D  directly  from  the 
bit  decomposition  of  D /y.  Adding  suitable  low-norm  noise  to  the  result  will  ensure  that  sk yj  is 
distributed  as  in  the  simulation  in  the  security  proof.  Note  that  this  approach  can  only  be  used  to 
build  secret  keys  s kyj  when  y  /  0  where  as  the  method  in  KeyGenFKHE  works  for  all  y. 

4.1  Evaluation  Algorithms  for  Arithmetic  Circuits 

In  this  section  we  build  the  FKHE-enabling  algorithms  (Evalpk,  Evalct,  Evalsjm)  that  are  at  the  heart 
of  the  FKHE  construction  in  Section  4.  We  do  so  for  the  family  of  polynomial  depth,  unbounded 
fan-in  arithmetic  circuits. 
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4.2  Evaluation  algorithms  for  gates 

We  first  describe  Eval  algorithms  for  single  gates,  i.e.  when  Q  is  the  set  of  functions  that  each  takes 
k  inputs  and  computes  either  weighted  addition  or  multiplication: 


G  = 


u 


g{x  1,  .  .  .  ,  Xk)  —  CViX!  +  02.^2  +  .  .  .  +  CV/cX/c 


g  I  9  ■  K 


z 


<?> 


or 


(5) 


a,ai,...,afcSZ9 


g(x  1,  .  .  .  ,Xk)  =  a  ■  Xi  ■  X2  ■  ■  ■  •  •  Xk 


We  assume  that  all  the  inputs  to  a  multiplication  gate  (except  possibly  one  input)  are  integers  in 
the  interval  [—p,p\  for  some  bound  p  <  q. 

We  present  all  three  deterministic  Eval  algorithms  at  once: 


nxm\k 


Evalpk^  £  Q,  B  £  (Z; 

Evalct(<7  e  G,  {{xi,  Bj,  Cj))^=1  )  - 
Eval sim(fif  G  («,Sj))*=1,  A) 


B  g  £  ZgXm 

c9  ez;n 
— >•  Sy  £  Z™xm 


For  a  weighted  addition  gate  g(xi, . . . ,  x *,)  =  aqxi  +  •  •  •  +  c^x*,  do: 

as  in  Lemma  2.4  part  4). 


mxm  suc]1  that. 


For  i  £  [k]  generate  matrix  R,  £  Z 

GR,  =  otjG  :  Rj  =  BD(crjG) 

Output  the  following  matrices  and  the  ciphertext: 


(6) 


B3  =  ^  B,  Rj ,  Sg  =  ^2  SjRi, 


cg  ~ 


ER^< 


i= 1 


i= 1 


z=l 


For  a  weighted  multiplication  gate  g(xi, . . . ,  x&)  =  axi  ■  . . .  ■  Xk  do: 

For  i  £  [fc]  generate  matrices  Rj  £  Z™xm  such  that 

GRi  =  aG  :  Rx  =  BD(aG) 

GRj  =  — Bj_iRj_i  :  Rj  =  BD(— Bj_iRj_i)  for  all  i  £  {2,  3, . . . ,  k} 
Output  the  following  matrices  and  the  ciphertext: 

k  /  k  \ 

By  =  B/  R/,,  Sy  =  5]  j  J]  x*  )  SjRj, 

j=l  \i=j+l  ) 


(7) 


(8) 

(9) 


(10) 


For  example,  for  k  =  2,  By  =  B2R2,  Sy  =  X2S1R1  +  S2R2,  cg  =  x^R j  ci  +  R2  C2. 

For  multiplication  gates,  the  reason  we  need  an  upper  bound  p  on  all  but  one  of  the  inputs  Xj  is 
that  these  Xj  values  are  used  in  (10)  and  we  need  the  norm  of  Sy  and  the  norm  of  the  noise  in  the 
ciphertext  cg  to  be  bounded  from  above.  The  next  two  lemmas  show  that  these  algorithms  satisfy 
the  required  properties  to  be  FKHE-enabling. 

Lemma  4.4.  Let  (3g(m)  =  km.  For  a  weighted  addition  gate  c/(x)  =  aqxi  +  . . .  +  akXk  we  have: 
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1.  If  c,  G  Es^(xi,  Bj)  for  some  s£ZJ  and  5  >  0,  then  cg  £  ESt/\(g(x),  Ba)  where  A  <  j3g(m)-5 
and  Bg  =  Eval pfc(g,  (Bi, . . . ,  Bfe)). 

A  T/ie  output  S g  satisfies  ASg  —  g(x*)G  =  Bfl  where  ||Ss||2  <  fig(rn)  ■  maxjeny  ||Sj||2 
and  Bg  =  Eval pk(g,  (ASi  —  x*G, . . . ,  AS*,  —  x*kGf) . 

Proof.  By  Eq.  7  the  output  ciphertext  is  computed  as  follows: 


c 


9 


Y  Rf  •  Ci  =  Y  Rf  •  ((xiG  +  Bif  s  +  e, 

2=  1  i=  1 

k  k  k 

Y^iGBifs  +  ^(BtR.t)Ts  +  ^(Rfe* 


i=  1 


2=1 


2=1 


^  ]  oiiXi  GT s  +  B Js  +  eg  —  If  GRi 


vi=l 


b(x)G  +  B g]T  s  +  eg 


=  II  substitute  for  c *  =  (a^G  +  B,;)Ts  +  e,- 

=  //  break  the  product  into  components 

k 

ttjRj  from  Eq.  6  and  Bg  =  Y^  B?R,  from  Eq.  7 

2=1 


/  \  Lemma  2. 4, part  4 

The  noise  bound  is:  ||es||  =  || R=f  ei+-  •  -+R^efc|j  <  fc-maxjg^j  (||Rj  ||2  •  ||ej||J  <  km-8. 

This  completes  the  proof  of  the  first  part  of  the  lemma. 

In  the  second  part  of  the  lemma,  by  Eq.  7  the  output  matrix  Bg  is  computed  as  follows: 
k 

Bg=Y(^Si-x*G)  R,  =  //  plug-in  matrices  given  in  the  lemma  into  Eq.  7 

i=  1 

k  k 

=A^siR.-x;  atiX* G  =  AS9  —  g(x*)G  / /  GR,  =  a,;Rt  from  Eq.  6 
2=1  2=1 

k  Lemma  2 A, part  4 

Then  ||Ss||2  =  ||X^=i  S*Ri ||2  <  k  ■  rnaxi6[j.]  (||S*||2  •  !  R,  |2)  <  km  ■  maxie[fc]  (||S.t||2) 

as  required.  □ 

The  next  Lemma  proves  similar  bounds  for  a  multiplication  gate. 

Lemma  4.5.  For  a  multiplication  gate  gfx.)  =  a  n|=1  xt  we  have  the  same  bounds  on  cg  and  Sg 

/c  i 

as  in  Lemma  4-4  with  Pg{m)  = 
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Proof.  Set  eg  =  £  =1  MI,  =  /+i  xi )  R-Tej-  Then  the  output  ciphertext  is  computed  as  follows: 


c Xi  c j  =  ^  j  .Tj  Rj  MXjG  +  B7)t  s  +  ej  j  =  //  substitute  for  Cj 


j= i  \*=j+i 


i=i  \*=t+i 
k  (  k 


n  T 


n* )  gr! + e  n**  I  {Gn>  ■  % |R/ ') + BiKk 

j=2  \i=j 


\i=l 
'  k 


s  +  eg  =  /j  regroup 


Y[Xi  GRi  +  B^R/j 


L  \*=l 


s  +  eg  =  /I  use  Eq.  9  to  cancel  terms 


=  [g(x)G  +  B g]T  s  +  eg  //  use  the  facts  GRi  =  «G  (Eq.  8),  B&  =  B^R^  (Eq.  10) 


The  bound  on  the  noise  ||e&||  is: 


e„  = 


k 

£ 

j= i  \*=i+i 


n 


Xj 


RJei 


<(i  +  p+...+pk  ^ 


max 

ie[fc] 


\*?h 


Lemma.  2.3  p *  —  1 
<  - m 


p  —  1 


This  completes  the  first  part  of  the  lemma.  In  the  second  part  of  the  lemma,  the  output  matrix 
B  g  is  computed  as  follows: 

B g  =(ASfc  -  xkG)Rk  E=9  II  by  (9)  we  have  GRfc  =  -(ASfc_i  -  .xfc_iG)Rfc_i 
=  (ASkRk  +  XfeASfe.iRfc.!  -  xk  •  xfe_1GRfc_1)  Eq=  9  . . .  Eq=  9 

Eq  8 

=  (ASkRk  +  xk ASfc_iRfc_i  +  xk  •  xfc_i ASfc_2Rfc-2  +  •  •  •  +  (~xi  ■  ■  •  xfcGRi))  = 

=  (AS g  -  ax i  ■  ■  ■  xkG)  =  (ASg  -  s(x)G) 


Moreover,  the  bound  on  the  norm  of  Sg  is: 

xi  j  SjRj 

i=j+l  )  2 

<  (l+p  +  ...  +pk~ 1')  max (||Sj||2 
'  '  [k] 


Lemma.  2.3  rf  —  1 

<  - —m  ■  max  (||S,;||2) 

p  —  1  ie[fc] 


as  required.  □ 

4.3  Evaluation  algorithms  for  circuits 

We  will  now  show  how  using  the  algorithms  for  single  gates,  that  compute  weighted  additions  and 
multiplications  as  described  above,  to  build  algorithms  for  the  depth  d,  unbounded  fan-in  circuits. 

Let  {Ca}asN  be  a  family  of  polynomial-size  arithmetic  circuits.  For  each  C  6  C\  we  index  the 
wires  of  C  following  the  notation  in  [GVW13].  The  input  wires  are  indexed  1  to  £,  the  internal 
wires  have  indices  £  +  1,^  +  2,  ...,|C|  —  1  and  the  output  wire  has  index  |C|,  which  also  denotes  the 
size  of  the  circuit.  Every  gate  gw  :  Zkw  — >•  7Lq  (in  Q  as  per  5)  is  indexed  as  a  tuple  (w\, . . . ,  wkw .  w) 
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where  kw  is  the  fan-in  of  the  gate.  We  assume  that  all  (but  possibly  one)  of  the  input  values  to 
the  multiplication  gates  are  bounded  by  p  which  is  smaller  than  scheme  modulus  q.  The  “fan-out 
wires”  in  the  circuit  are  given  a  single  number.  That  is,  if  the  outgoing  wire  of  a  gate  feeds  into 
the  input  of  multiple  gates,  then  all  these  wires  are  indexed  the  same.  For  some  A  G  N,  define  the 
family  of  functions  J-  =  {/  :  /  can  be  computed  by  some  C  G  C\}.  Again  we  will  describe  the  three 
Eva  I  algorithms  together,  but  it  is  easy  to  see  that  they  can  be  separated. 

Eval  pk(/  £7,  Be  (Z£xmf  )  — ►  Bf  G  Z£xm 
Evalct(/  6  J7,  ((xi,B.i;,ci))j£=1  )  — >  cf  £Z“ 

Eval sim(/  G  J7,  («,S,))J=1,  A)  *  Sf  G  Z“ 

Let  /  be  computed  by  some  circuit  C  G  C\,  that  has  l  input  wires.  We  construct  the  required 
matrices  inductively  input  to  output  gate-by-gate. 

For  all  w  G  [C]  denote  the  value  that  wire  w  carries  when  circuit  C  is  evaluated  on  x  or  x*  to  be 
xw  or  x w  respectively.  Consider  an  arbitrary  gate  of  fan-in  kw  (we  will  omit  the  subscript  w  where 
it  is  clear  from  the  context):  (uq, . . . ,  Wk,  w)  that  computes  the  function  gw  :  Zk  — >•  Z?.  Each  wire 
Wi  caries  a  value  xWi .  Suppose  we  already  computed  BWl , . . . ,  BWk ,  S„;i , . . . ,  SWk  and  cWl , . . . ,  cWk , 
note  that  if  w\, . . . .,  Wk  are  all  in  {1,  2, ... ,  then  these  matrices  and  vectors  are  the  inputs  of  the 
corresponding  Eval  functions. 

Using  Eval  algorithms  described  in  Section  4.2,  compute 

Bto  =  Evalpk^-u,,  (B^j  ,  . . .  ,  B ^fc)) 

Cyj  =  Evalct^u,,  [(%Wi ,  BjOj ,  Ckjj))^^) 

STO  =  Evalsim(3w,  {(xl,.,SWi))^=v  A) 

Output  B  f  :=  B|C|,  Cf  :=  C|C|,  S f  :=  S|C|.  Next  we  show  that  these  outputs  satisfy  the  required 
properties. 

fc  1 

Lemma  4.6.  Let  f3(m)  =  If  c*  G  Es  s(xi,  B,;)  for  some  s  G  Z”  and  5  >  0,  then 

Cf  G  ESjA(/(x),  By)  where  A  <  (/3(m))d  ■  5  and  Bf  =  Evalpfc(/,  (Bl5 . . . ,  B^)). 

Proof.  By  Lemma  4.4  and  4.5,  after  each  level  of  the  circuit  the  noise  is  multiplied  by  Pgw(m), 
which  is  upperbounded  by  /3(m)  and  the  total  number  of  levels  is  equal  to  the  depth  d  of  the 
circuit.  The  lemma  follows.  □ 

Lemma  4.7.  Let  (5(m)  he  as  defined  in  Lemma  f.6.  If  Si, . . . ,  are  random  matrices  in  {±l}?nxm, 
then  the  output  Sf  satisfies  AS f  —  /(x*)G  =  By  where  ||Sy||2  <  (/ 3{m))d  ■  20 \Jm  and 
B/  =  Evalpfc(/,  (ASi-^G,...,ASy-x|G))  . 

Proof.  Since  the  input  Sj  for  i  G  \l]  are  random  matrices  in  {±l}mxm,  by  Lemma  2.5  for  all  j  G  [f], 
||  Si  ||  2  <  20 y/m.  By  Lemma  4.4  and  4.5,  after  each  level  of  the  circuit  the  bound  on  S  gets  multiplied 
by  at  most  f3(m),  therefore  after  d  levels,  which  is  the  depth  of  the  circuit,  the  bound  on  the  output 
matrix  will  be  ||S/||2  <  •  20 \frn.  The  lemma  follows.  □ 

In  summary,  algorithms  (Evalpk,  Evalct,  Evalsjm)  are  ccjr-FKHE  enabling  for 

aT{n)  =  (/ 3(m))d  ■  20a /m  =  0(^(pk~1m)d^/fn) ,  where  in  =  0(n  log  q).  (11) 

This  is  sufficient  for  polynomial  depth  arithmetic  circuits  as  discussed  in  the  introduction. 
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4.4  ABE  with  Short  Secret  Keys  for  Arithmetic  Circuits  from  LWE 

The  FKHE  for  a  family  of  functions  F  =  {/  :  (Z9)^  — >•  Z^}  we  constructed  in  Section  4  immediately 
gives  a  key-policy  ABE  as  discussed  in  Section  3.  For  completeness  we  briefly  describe  the  resulting 
ABE  system. 

Given  FKHE-enabling  algorithms  (Evalpk,  Evalct,  Evals;m)  for  a  family  of  functions  F  from  Sec¬ 
tion  4.1,  the  ABE  system  works  as  follows: 

•  Setup(lA,^):  Choose  n,q,Xim  and  °  as  in  “Parameters”  in  Section  4. 

Run  algorithm  TrapGen(ln,  lm,  q)  (Lemma  2.4,  part  1)  to  generate  (A,Ta)- 
Choose  random  matrices  D,  Bi, . . . ,  By  6  Z”xm  and  output  the  keys: 

mpk  =  (A,D,Bi, . . .  ,  By)  ;  msk  =  (TA,  D,  Bi, . . . ,  By) 

•  Keygen  (msk,/):  Let  By  =  Eval  pk(/,  (Bi, . . . ,  By)). 

Output  sky  :=  R f  where  Ry  is  a  low- norm  matrix  in  ^2mxm  sampled  from  the  discrete 
Gaussian  distribution  TL/A^AlBy))  so  that  (AjBy)  •  R y  =  D. 

To  construct  Ry  run  algorithm  SampleRight(A,  Ta,  yG  +  By,  D,  cr)  from  Lemma  2.8,  part  1. 

Note  that  the  secret  key  sky  is  always  in  ^2mxm  independent  of  the  complexity  of  the  func¬ 
tion  /. 

•  Enc(mpk,  x  ezj,  /./  G  {0,  l}m):  Choose  a  random  vector  s  <—  Z”  and  error  vectors  eo,  ei  G- 
ym.  Choose  i  uniformly  random  matrices  Sy  <—  {±l}mxm  for  j  g  [f].  Set 

H  =  (A  |  ziG  +  Bi  |  •••  |  x*G  +  B*)  G  Z£x^+1)m 
e  =  (I^ISrl ...  |S«)T  -  e0  G  zf+1)m 

Output  c  =  (Hts  +  e,  Drs  +  ei  +  \q/2\y)  €  Z q+2^m . 

•  Dec(sky,  (x,  c)) :  If  /(x)  /  0  output  T.  Otherwise,  let  the  ciphertext  c  =  (cjn,  Ci, . . . ,  cy,  cout)  G 
Z{qL+2)n\  set  cy  =  Evalct (/,  {(xj,B;:,Ci)}f=1)  G  Z™. 

Let  Cy  =  (cjn|cy)  G  Z^m  and  output  Round(couy  —  Rjc'y)  G  {0,  l}m. 

This  completes  the  description  of  the  system.  The  proof  of  the  following  security  theorem  follows 
from  Theorems  4.2  and  3.2. 

Theorem  4.8.  For  FKHE-enabling  algorithms  (Evalpy.,  Evalcy,  Evals*m)  for  the  family  of  functions 
F ,  the  ABE  system  above  is  correct  and  selectively-secure  with  respect  to  F,  assuming  the  (n,q,x)- 
LWE  assumption  holds  where  n,  q.  x  are  the  parameters  for  the  FKHE-enabling  algorithms. 

5  Extensions 

5.1  Key  Delegation 

Our  ABE  easily  extends  to  support  full  key  delegation.  We  first  sketch  the  main  idea  for  adding 
key  delegation  and  then  describe  the  resulting  ABE  system. 
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In  the  ABE  scheme  from  Section  4.4,  a  secret  key  for  a  function  /  is  a  matrix  Ry  that  maps 
(AjBy)  to  some  fixed  matrix  D.  Instead,  we  can  give  as  a  secret  key  for  /  a  trapdoor  (i.e.  a 
short  basis)  Tp  for  the  matrix  F  =  (A|By).  The  decryptor  could  use  Tp  to  generate  the  matrix 
R f  herself  using  algorithm  SampleD.  Now,  for  a  given  function  g ,  to  construct  a  secret  key  that 
decrypts  whenever  the  attribute  vector  x  satisfies  /(x)  =  g{x)  =  0  we  extend  the  trapdoor  for 
F  into  a  trapdoor  for  (F|Bg)  =  (AjBy|Bg)  using  algorithm  ExtendRight.  We  give  a  randomized 
version  of  this  trapdoor  as  a  delegated  secret  key  for  /  A  g.  Intuitively  this  trapdoor  can  only  be 
used  to  decrypt  if  the  decryptor  can  obtain  the  ciphertexts  under  matrices  By  and  Bg  which  by 
security  of  ABE  can  only  happen  if  the  ciphertexts  was  created  for  an  attribute  vector  x  satisfying 
/(x)  =  ff(x)  =  0. 

The  top  level  secret  key  generated  by  Keygen  is  a  (2m  x  2m)  matrix  in  Z.  After  k  delegations  the 
secret  key  becomes  a  (( k  +  l)m  x  ( k  +  l)m)  matrix.  Hence,  the  delegated  key  grows  quadratically 
with  the  number  of  delegations  k. 


Definition.  Formally,  a  delegatable  attribute-based  encryption  (DABE)  scheme  is  an  attribute- 
based  encryption  scheme  that  in  addition  to  four  standard  algorithms  (Setup,  Keygen,  Enc,  Dec) 
offers  a  delegation  algorithm  Delegate.  Consider  a  ciphertext  c  encrypted  for  index  vector  x.  The 
algorithm  Keygen  returns  the  secret  key  skf  for  function  /  and  this  key  allows  to  decrypt  the 
ciphertext  c  only  if  /(x)  =  0.  The  delegation  algorithm  given  the  key  skf  and  a  function  g  outputs 
a  “delegated”  secret  key  that  allows  to  decrypt  the  ciphertext  only  if  /(x)  =  0  A  <?(x)  =  0,  which 
is  a  more  restrictive  condition.  The  idea  can  be  generalized  to  arbitrary  number  of  delegations: 

Delegate(mpk,  skfu...JkJk+1)  -A  sk/l(...i/fc+1  : 

Takes  as  input  the  master  secret  key  msk,  the  function  /fc+1  £  J7  and  the  secret  key 

that  was  generated  either  by  algorithm  Keygen,  if  k  =  1  or  by  algorithm  Delegate,  if  k  >  1. 

Outputs  a  secret  key  sk f1,...,fk+1- 

Correctness.  We  require  the  scheme  to  give  a  correct  ABE  as  discussed  in  Section  2.1  and  in 
addition  to  satisfy  the  following  requirement.  For  all  sequence  of  functions  A,  •  •  • ,  /&  £  T7,  a  message 
m  £  M.  and  index  x  £  Z(j,  s.t.  /i(x)  =  0  A  ...  A  /fc(x)  =  0  it  holds  that  g  =  Dec(sk /lr. (x,  c)) 
with  an  overwhelming  probability  over  the  choice  of  (mpk,  msk)  <—  Setup(lA,  £),  c  Enc(mpk,  x  £ 
A  ,  g),  skq  Keygen  (msk, /i)  and  skjt  ,...jt+1  <—  Delegate(mpk,  sfc/j,. fi+i)  for  all  i  £  [k]. 


Security.  The  security  of  DABE  schemes  is  derived  from  definition  of  selective  security  for  ABE 
scheme  (see  Definition  2.1)  by  providing  the  adversary  with  access  to  a  key-generation  oracle. 

Definition  5.1  (Selectively-secure  DABE).  A  DABE  scheme  n  =  (Setup,  Keygen,  Enc,  Dec,  Delegate) 
for  a  class  of  functions  T  =  {TaIagN  with  t  =  £( A)  inputs  over  an  index  space  X£  =  {AA}AeN  and  a 
message  space  A4  =  {-MaIasN  is  selectively  secure  if  for  any  probabilistic  polynomial-time  adversary 
A,  there  exists  a  negligible  function  u(X)  such  that 


Adv 


sDABE/  \  \  def 

n  ,A 


(A)  = 


Pr 


Expt 


(o) 


sDABE 


—  Pr 


Expt, 


(i) 


sDABE 


—  1  —  KA)> 


where  for  each  b  £  {0, 1}  and  A  £  N  the  experiment  Expt^ABE  n  _^(A)  is  defined  as  follows: 
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1.  (x*,statei)  «—  _4.( A) ,  where  x*  €  Xe. 

2.  (mpk,  msk)  G-  Setup(A). 

3.  (no,  hi,  state2)  <—  ylKG(msk-x>t’')(mpk,  statei),  where  noil^i  G  M-x- 

4.  c*  G-  Enc(mpk,  x*,  Hb)~ 

5.  6/4-^KG(msk’x*’')(c*,state2). 

6.  Output  b'  G  {0, 1}. 

Here  the  key-generation  oracle  KG(msk,  x*,  (/i, . . . ,  /&))  takes  a  set  of  functions  fi, . , . ,  fk  Gi7  and 
returns  the  secret  key  sk  if  /i(x*)  /  0  V  ...  V  /k(x*)  /  0  and  otherwise  the  oracle  returns 

_L.  The  secret  key  sk /lv..,/fc  is  defined  as  follows:  sk^  =  KeyGen(msk, /i)  and  for  all 
ie{2,...,k}  sk =  Delegate(mpk,sk/li...i/._1,/i). 

5.1.1  A  delegatable  ABE  scheme  from  LWE 

The  DABE  scheme  will  be  almost  identical  to  ABE  scheme  described  earlier,  except  as  a  secret  key 
for  function  /  instead  of  recoding  matrix  from  (A|Bf)  to  D  we  will  give  the  rerandomized  trapdoor 
for  (A|Bf)  and  then  the  decryptor  can  build  the  recoding  matrix  to  D  himself. 

KeyGen(msk, /)  : 

Let  Bf  =  Evalpk(/,  (Bi, . . . ,  B*)). 

Build  the  basis  Tf  for  F  =  (A|Bf)  G  Zqx2m  as  T f  <—  RandBasis(F,  Extend Right( A,  T4,  B f),cr), 
for  big  enough  a  =  ||Ta||gs  ■  w(\/Togm)  (we  will  set  a  as  before:  a  =  oj(aT  ■  y/logm)). 

Output  sk f  :=  Tf. 

Delegate(mpk,sk/l!...jfc,g)  : 

Parse  the  secret  key  sk  r,  t,  as  a  matrix  Ti.  G  which  is  a  trapdoor  for  the 

matrix  (A|BA|  . . .  |B,J  €  ^x(J*1)m. 

Let  Bfl  =  Evalpk(<7,  (Bi, . . . ,  B^)). 

Build  the  basis  for  matrix  F  =  (A|B y,  | . . .  |B^jBg)  G  Z ”x(fc+2)m; 

Tfc+1  =  RandBasis(F,  ExtendRight((A|B/1| ...  |B/fc),Tfc,B9),crfe). 

Here  ak  =  a  •  (\/m log m)k .  Output  sk f1,...jk,g  ■=  G  ^(fe+2)mx(fc+2)m_  Note  that  the  size 

of  the  key  grows  quadratically  with  the  number  of  delegations  k. 

Dec(sk fu...jk,  (x,  c) )  :  If  /i(x)  /  0  V  . . .  V  /fc(x)  /  0  output  _L. 

Otherwise  parse  the  secret  key  sk as  a  matrix  T^,  G  ^(fc+1)mx(fc+1)m  -which  js  a  trapdoor 
for  the  matrix  (AlBy,  | . . .  |Byfc). 

Run  R  G-  SampleD(  (AjBjJ  . . .  | B ) ,  T&,  D,  ak)  to  generate  a  low-norm  matrix 
R  G  z{q+1)mxm  such  that  (A|BA  |  . . .  |B/fc)  R  =  D. 

For  all  j  G  [k],  compute  (cin,Cj,cout)  =  Evalct({(a;i,  Bj)}|=1?-  c,  /,;)  G  I?qm.  Note  that  cin 
and  cout  stay  the  same  across  all  i  G  [/c]. 

Let  c'  =  (cin|ci|  . . .  |c*;)  G  Zyfc+1')m.  Output  n  =  Round(cont  —  Rrc'). 
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Correctness.  To  show  correctness,  note  that  when  /i(x)  =  OA. .  .A /fc(x)  =  0  we  know  by  the 
requirement  on  Evalct  that  the  resulting  ciphertexts  Cf.  £  ESja(0,  By.)  for  Vi  £  [k\.  Consequently, 

(Cjnlc/J  . . .  I Cfk)  =  (AjB/J  . . .  |B/fc)Ts  +  e'  where  ||e'||  <  kA  +  Xmax  <  (kaT  +  l)xmax- 

We  know  that  (AjB^I  . . .  |B fk)  •  R  =  D  and  ||RT  H2  <  (k  +  l)mak  with  overwhelming  probability 
by  Lemma  2.5.  Therefore 

c out  —  BTCj  =  (Dts  +  ei)  —  (Dts  +  RTe/)  =  ei  —  RTe/  . 

Finally, 

I|ei  -  RTe'||  <  xmax  +  (k  +  1  )mak  ■  (aT  +  l)xmax  <  {k  +  2)a%  •  xm»  •  mk/2+1 

with  overwhelming  probability.  The  bound  on  a.T  :  a2Tmk/2+l  <  •  (q/x max)  ensures  that  this 

quantity  is  less  than  q/ 4  thereby  ensuring  correct  decryption  of  all  bits  of  y  E  {0,  l}m. 

Security.  The  security  game  is  similar  to  the  security  game  for  FKHE,  described  in  Section  4, 
except  in  Game  2  we  need  to  answer  delegated  key  queries.  Consider  a  private  key  query  sk 
where  fi,  ■  ■  ■ ,  fk  £  V7.  This  query  is  only  allowed  when  f\  (x*)  /  0  V  ...  V  /),(x*)  /  0.  Without 
loss  of  generality,  assume  that  /i(x*)  =  0  A  ...  A  fk- i(x*)  =  0  and  /fc(x*)  /  0.  Indeed  for  all  other 
cases,  the  adversary  may  ask  for  the  key  for  a  smaller  sequence  of  functions  and  delegate  herself. 
The  key  generation  oracle  for  all  i  £  [k\  computes  B y .  =  Evalpk(/j,  (Bi, . . . ,  B<»))  and  needs  to 
produce  a  trapdoor  T&  £  ^(fe+i)mx(fc+i)m  for  y^g  matrix  (AjByJ  . . .  jByfc)  £  ^xlfc+1)'n_ 

To  do  so  the  key  generation  oracle  does: 

•  Run  S fk  <—  Evals;m(/fc,  ((x*,  S*))^=1,  A)  and  obtains  a  low-norm  matrix  S yfe  £  Z™xm  such 
that  ASyfe  —  /fc(x*)G  =  B yfc.  By  definition  of  Evals;m  we  know  that  ||Syfc||2  <  aT. 

•  Let  F  =  (AjByJ  . . .  |B yfc)  =  (AjByJ  . . .  |Byfc_JASyfc  —  y* G).  Because  y*  /  0  the  key  gener¬ 
ation  oracle  can  obtain  a  trapdoor  T(A|B/  )  by  running 

T(A|B/fc)  ExtendLeft(y*G,TG,  A,S/fc) 

And  then  produce  T(A|B/fc|B/i|,jB/fc_i)  by  running 

T(A|B/fe|B/l|...|B/fe_1)  ExtendRight(G,TG,  (Bfl\  . . .  |B fk  l)) 

Now  we  can  switch  the  rows  of  the  matrix  T(A|B/fc |B/l | ...|B/-  )  to  get  the  matrix  Tp,  which 

is  a  trapdoor  for  (A|ByJ  . . .  | B yfc ) .  This  operation,  as  well  as  ExtendRight  function  (according 
to  Lemma  2.4,  part  2)  does  not  change  the  Gram-Schmidt  norm  of  the  basis,  therefore  this 
trapdoor  satisfies 

1 1  Tf  1 1  gs  ^  ||Tg  ||gs  ‘  ||Syfc||2  ^  a/5  cvjr(n) 
where  the  bound  on  ||Tg||gs  is  from  Lemma  2.4  (part  4). 

•  Finally,  it  responds  with  rerandomized  trapdoor  T =  RandBasis(F,  TB,  oy.). 

By  definition  of  RandBasis  we  know  that  T k  is  distributed  as  Vak(A ^  (F))  as  required.  Indeed 
ak  =  1 1  Tf  1 1  gs  •  w(\/log  m)  as  needed  for  algorithm  RandBasis  in  Lemma  2.6  (part  3). 
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5.2  Polynomial  gates 

We  can  further  reduce  the  depth  of  a  given  arithmetic  circuit  (and  thereby  shrink  the  required  lattice 
sizes)  by  allowing  the  circuit  to  use  more  general  gates  than  simple  addition  and  multiplication. 
For  example,  the  k-w&y  OR  gate  polynomial  can  be  implemented  using  a  single  gate. 

Definition  5.2.  An  ^-variate  polynomial  is  said  to  have  restricted  arithmetic  complexity  (£,d,g)  if 
it  can  be  computed  by  a  depth-d  circuit  that  takes  l  inputs  x\ , . . . ,  xe  G  7Lq  and  outputs  a  single 
r  6  Z?.  The  circuit  contains  g  gates,  each  of  them  is  either  a  fan-in  2  addition  gate  or  a  fan-in  2 
multiplication  gate.  Multiplication  gates  are  further  restricted  to  have  one  of  their  two  inputs  be 
one  of  the  inputs  to  the  circuit:  xi,...,X£. 

We  build  the  Eva  I  algorithms  for  polynomials  with  complexity  ( £,d,g )  whose  running  time  is 
proportional  to  g  and  that  increase  the  magnitude  of  the  noise  in  a  given  ciphertext  by  a  factor  of 
at  most  0{pd  ■  m),  where  p  is  the  bound  on  all  the  intermediate  values.  Were  we  to  directly  use 
the  Eva  I  algorithms  from  the  previous  section  on  this  polynomial,  the  magnitude  of  the  noise  would 
increase  by  0((pm)d )  which  is  considerably  larger,  especially  when  p  is  small  (e.g.  p  =  1). 

We  can  build  arithmetic  circuits  using  polynomials  with  complexity  (£,  d,  g)  as  gates.  Evaluating 
a  depth  D  arithmetic  circuit  with  such  polynomial  gates  would  increase  the  magnitude  of  the  noise 
by  at  most  a  factor  of  0((pd  ■  m)D).  Again,  if  we  were  to  simply  treat  the  circuit  as  a  standard 
arithmetic  circuit  with  basic  addition  and  multiplication  gates  the  noise  would  instead  grow  as 
0((pm)dD)  which  is  larger. 

Next  we  present  ABE-enabling  algorithms  Evalpk,  Evalct,  Evalsim  for  these  enhanced  polynomial 
gates  with  the  noise  bounds  discussed  in  the  previous  paragraph.  To  support  multiplication  and 
addition  of  constants,  we  may  assume  that  we  have  an  extra  0-th  input  to  the  circuit  that  always 
carries  the  value  1.  We  present  all  three  algorithms  at  the  same  time.  Suppose  that  /  is  a  polyno¬ 
mial  with  complexity  ( £,d,g ),  then  the  three  algorithms  work  as  follows: 

Evalpk(/,  B  G  (Z ™m)e  )  — >  B/  G  Z £xm 

EvaUC /,  ((xi.Bi,*))^!  )  — >c,  £Z; 

Evalsim(/,  ((xi,  Si))f=1,  A)  >  Sf  G  Z™xm 


For  each  wire  w  G  [|/|]  (here  |/|  denotes  the  total  number  of  wires  in  the  circuit  and  the  notation 
of  naming  the  wires  is  as  described  in  Section  4.3)  starting  from  the  input  wires  and  proceeding  to 
the  output  we  will  construct  the  matrices  Bu,  G  Z”xm,  Sw  G  Z™xm,  cw  G  Z™.  Finally  we  output 
B  f  =  B|j|,  Sf  =  S|y| ,  Cf  =  C|j|.  Consider  an  arbitrary  gate  and  suppose  that  matrices  on  the  input 
wires  are  computed,  then  to  compute  the  matrices  on  the  output  wire  do  the  following: 

•  Suppose  the  gate  computes  addition,  has  input  wires  w\  and  W2  and  output  wire  w.  Then 
set  the  output  matrices  on  wire  w  to  be: 


B„  —  B.(Ul  +  B 


’W21 


sw  =  SW1  +  s 


JW21 


—  C 


w  i 


•  Suppose  the  gate  computes  the  multiplication  by  xt  for  some  i  G  [£],  the  input  wires  are  u 
and  i,  the  output  wire  is  w.  Then  generate  matrix  R  G  Z”ixm  to  satisfy  GR  =  — Bu  by 
running  R  =  BD(— Bu).  Output 


B,„  =  B;R, 


Sw  —  S,R  +  %W  Si 


-  X %  Cq 


+  RTc,: 


28 


Approved  for  Public  Release;  Distribution  Unlimited. 

320 


Note  that  the  amount  of  work  required  to  run  the  Eva  I  algorithms  is  proportional  to  the  number 
of  gates  g  in  the  circuit. 

The  following  lemma  shows  that  the  noise  in  the  output  ciphertext  grows  by  at  most  the  factor 
of  O (pdm) .  where  p  is  the  upper  bound  on  the  intermediate  values  in  the  circuit. 

Lemma  5.3.  If  c,;  G  ESjs(xi,  Bj)  for  some  s  €  Z”,  <5  >  0  and  the  bound  on  the  numbers  p  >  2,  then 
for  the  polynomial  f  of  complexity  (I,  d,  g)  with  fid  =  (1  +  p  +  . . .  +  pd)  ■  m  we  have: 

•  Cf  satisfies  Cf  G  Es^(ffx),  B^)  where  Bj  =  Evalpfc(/,  (Bi,...,B^))  and  A  <  Pd{m)  ■  5 , 

•  Sf  satisfies  ASf  —  /(x)G  =  Bf  where  B^  =  Eval^(/,  (ASi  —  aqG, . . . ,  AS^  —  x^G)) 
and  1 1 Sy 1 1 2  <  Pd(jri)  ■  7  where  7  =  maxiem  | |S*| I2- 

Proof.  We  prove  the  lemma  by  induction. 


Consider  an  addition  gate  at  level  i  with  input  wires  w\  and  W2  and  output  wire  w.  Suppose 
for  j  E  [2],  the  noise  in  the  ciphertexts  ||ew  ||  <  Pi-pm)5  and  ||STOi||2  <  Pi-pm)  •  7. 


Cyj  —  Cyjj  -)-  cW2  —  G  T  B^ )  s  T  F  {xUJ2  G  T  B^2 )  s  T  &W2  —  G  T  Bu, )  s  T  €7. 

-  | |ew||  =  \\eWl  +  eW2\\  <  ||eWl||  +  He^H  <  (Pi-i(m)  +  Pi-i(m))5  <  Ppm)  8 

Bn;  —  B^  -)-  B^2  =  (AS^jj  G)  +  (ASW2  %W2  G)  —  A(SWl  T  )  (27*1  T %W2 ) G  = 
AS^,  xwG 

-  ||S^||2  =  IIS^J  +  SW2 1 1 2  <  ||STO1||2  +  ||SW2||2  <  +  Pi- i(m))  •  7  <  Ppm)  •  7. 


•  Consider  a  gate  which  has  input  wires  u  and  i  E  [£],  output  wire  w  and  which  computes 
multiplication.  Suppose  ||eu||  <  Pi-pm)  and  1 1 Su 1 12  <  Pi- pm)  •  7,  then  the  following  holds 

—  cw  =  XiCu  +  RrCj  =  xpxu G  +  B„)rs  +  Xi&u  +  R^  (xjG  +  BjJ^s  +  R^e;  = 

[xwG  +  x,;^(B^=kGRT  +  HW)T  s  +  ew 

~  ||e«,||2  =  || Xieu  +  RTej||2  <  p||eu||2  +  m||ej||2  <  (jpPi-pm)  +  m)5  <  Ppm)  ■  5 

—  B„,  =  BjR  =  (ASj  —  XjG)R  =  ASjR  +  XjBu  =  AS,R  +  xp  ASU  —  xuG)  = 

A.(^XiSu  T  SjR)  (xiXu)G  —  ASW,  xwG 

~  ||S™||2  =  ||xjSu  +  S*R|  |2  <  (pPi-pm)  +  m)  ■  7  <  Ppm)  ■  7. 


as  required. 


□ 


Now  combining  Lemma  5.3  and  lemmas  analogous  to  Lemmas  4.6,  4.7  we  can  build  an  ABE 
system  for  a  set  of  functions  IF  which  can  be  computed  by  depth  D  circuits  with  (k,  d,  g)-complexity 
gates.  The  bound  function  will  then  be 

aT(n)  =  ( Pd{m))D  •  20 pm  =  0((pdm)Dpm). 


The  time  complexity  of  the  Eval  algorithms  for  circuit  C  that  consists  of  (k,  d,  g)-complexity 
gates  will  be  0{g  ■  |(7|). 
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5.2.1  Example  applications  for  polynomial  gates 

Unbounded  fan-in  OR  gate.  Assuming  that  boolean  inputs  are  interpreted  as  integers  in 
{0, 1},  the  OR  gate  of  £  inputs  can  be  computed  with  the  following  recursive  formula: 

OR^+i(xi, . .  ,,x£,xe+i)  =  X£+i  +  (1  -  xe+i)  ■  ORt(xi, . .  .,xi),  where  ORi(xi)  =  x\. 

It  is  easy  to  see  that  OR<?  has  restricted  complexity  (£,3£,3£),  since  at  each  of  the  £  iterations  we 
do  one  multiplication  by  X£+\  and  two  fan-in  2  additions.  Therefore,  by  Lemma  5.3,  an  OR^  gate 
increases  the  noise  in  the  ciphertext  by  a  factor  of  0{£  ■  m). 

If  we  were  computing  the  OR^  function  with  addition  and  multiplication  gates  as  in  Section  4.3, 
the  most  efficient  way  would  be  to  use  the  De  Morgan’s  law: 

ORm(>i, . .  ,,X£,X£+i)  =  1  -  (1  -  aq)(l  -  x2) ...  (1  -  xe). 

This  function  can  be  computed  with  one  level  of  i  fan-in-2  addition  gates  (to  compute  (1  —  xi)  for 
i  €  [£]),  one  level  of  a  single  fan-inT  multiplication  gate  (to  compute  Ei=i(l  —  Xi))  and  one  more 
level  of  a  single  fan-in- 2  addition  gate.  The  noise  then  will  grow  by  a  factor  of  0{£  ■  to3),  which  will 
make  the  scheme  3  times  less  efficient. 

The  Fibonacci  polynomial.  Consider  the  following  polynomial,  defined  for  x  6  \—p, Py  using 
the  following  recurrence: 

IIi(x)  =  xi,  n2(x)  =  x2 

ni+2(x)  =  ni+i(x)  +  Ili(x)  •  xi+2  for  *  G  {1,  ...,£  —  2} 

If  expanded,  the  number  of  monomials  in  II^  is  equal  to  the  £- th  Fibonacci  number,  which  is 
exponential  in  £.  The  degree  of  the  polynomial  is  The  recurrence  shows  that  the  restricted 
arithmetic  complexity  of  this  polynomial  is  (£,£,2£).  Therefore,  we  can  compute  it  with  a  single 
polynomial  gate  and,  by  Lemma  5.3,  the  growth  in  ciphertext  noise  will  be  proportional  to  j/  •  to. 

We  conjecture  that  computing  this  polynomial  with  a  polynomial-size  arithmetic  circuit  requires 
linear  depth  in  £.  Therefore,  the  growth  in  ciphertext  noise  using  the  approach  of  Section  4.3  will 
be  proportional  to  ( pm)° ^  which  is  much  worse. 


6  ABE  with  Short  Ciphertexts  from  Multi-linear  Maps 

We  assume  familiarity  with  multi-linear  maps  [BS02,  GGH13a],  which  we  overview  in  Section  2.3. 

Intuition.  We  assume  that  the  circuits  consist  of  and  and  OR  gates.  To  handle  general  circuits 
(with  negations),  we  can  apply  De  Morgan’s  rule  to  transform  it  into  a  monotone  circuit,  doubling 
the  number  of  input  attributes  (similar  to  [GGH+13c]). 

The  inspiration  of  our  construction  comes  from  the  beautiful  work  of  Applebaum,  Ishai,  Kushile- 
vitz  and  Waters  [AIKW13]  who  show  a  way  to  compress  the  garbled  input  in  a  (single  use)  garbling 
scheme  all  the  way  down  to  size  |x|  +  poly(A).  This  is  useful  to  us  in  the  context  of  ABE  schemes 
due  to  a  simple  connection  between  ABE  and  reusable  garbled  circuits  with  authenticity  observed 
in  [GVW13].  In  essence,  they  observe  that  the  secret  key  for  a  function  /  in  an  ABE  scheme  corre¬ 
sponds  to  the  garbled  circuit  for  /,  and  the  ciphertext  encrypting  an  attribute  vector  x  corresponds 
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to  the  garbled  input  for  x  in  the  reusable  garbling  scheme.  Thus,  the  problem  of  compressing  ci¬ 
phertexts  down  to  size  |x|  +  poly(A)  boils  down  to  the  question  of  generalizing  [AIKW13]  to  the 
setting  of  reusable  garbling  schemes.  We  are  able  to  achieve  this  using  multilinear  maps. 

Security  of  the  scheme  relies  on  a  generalization  of  the  bilinear  Diffie-Hellman  Exponent  As¬ 
sumption  to  the  multi- linear  setting  (see  Definition  2.9).  1  The  bilinear  Diffie-Hellman  Exponent 
Assumption  was  recently  used  to  prove  the  security  of  the  first  broadcast  encryption  with  constant 
size  ciphertexts  [BGW05]  (which  in  turn  can  be  thought  of  as  a  special  case  of  ABE  with  short 
ciphertexts.) 

Theorem  6.1  (Selective  security).  For  all  polynomials  dmax  =  dmax(A),  there  exists  a  selectively- 
secure  attribute-based,  encryption  with  ciphertext  size  poly(c?max)  for  any  family  of  polynomial- size 
circuits  with  depth  at  most  dmax  and  input  size  l,  assuming  hardness  of  (d  +  1,1)— Multilinear 
Diffie-Hellman  Exponent  Assumption. 

6.1  Our  Construction 

•  Params(T\  dmax):  The  parameters  generation  algorithm  takes  the  security  parameter  and  the 

maximum  circuit  depth.  It  generates  a  multi- linear  map  G(lx,k  =  d+ 1)  that  produces  groups 
(G i, . . . ,  Gk)  along  with  a  set  of  generators  gi,  ■  ■  ■  ,gk  and  map  descriptors  {e^}.  It  outputs 
the  public  parameters  pp  =  ({Gj,  {eij }«,je[fel)  >  which  are  implicitly  known  to  all  of  the 

algorithms  below. 

•  Setup(l^):  For  each  input  bit  i  6  {1,  2, . . . ,  £},  choose  a  random  element  qi  in  Zp.  Let  g  =  gi 
be  the  generator  of  the  first  group.  Define  hi  =  gqi .  Also,  choose  a  at  random  from  Zp  and 
let  t  =  gf.  Set  the  master  public  key 

mpk  :=  (hi, . . .  ,hg,t ) 

and  the  master  secret  key  as  msk  :=  a. 

•  Keygen  (msk,  C):  The  key-generation  algorithm  takes  a  circuit  C  with  t  input  bits  and  a 
master  secret  key  msk  and  outputs  a  secret  key  skp  defined  as  follows. 

1.  Choose  randomly  ((n,  z\), . . . ,  (re,  zf))  from  7?q  for  each  input  wire  of  the  circuit  C. 
In  addition,  choose  ((r^+i,  a^+i,  be+ 1), . . . ,  (rn,  an,  bn ))  from  Z;|  randomly  for  all  internal 
wires  of  C. 

2.  Compute  an  1  x  l  matrix  M,  where  all  diagonal  entries  (i,i)  are  of  the  form  (hi)Zigri 
and  all  non-diagonal  entries  ( i,j )  are  of  the  form  (hi)Zj .  Append  g~Zi  as  the  last  row  of 
the  matrix  and  call  the  resulting  matrix  M. 

3.  Consider  a  gate  T  =  (u,  v,  w )  where  wires  u,  v  are  at  depth  j  —  1  and  w  is  at  depth  j.  If 
T  is  an  OR  gate,  compute 

AT  =  (I<r  =  9awiKT  =  fjbu! ,  Kv  =  grjw~awru,Kr  =  grjw~K,rv) 

Else  if  r  is  an  AND  gate,  compute 

AT  =  (Ky  =  gaw,K l  =  gbw ,  ATp  = 

1Our  construction  can  be  converted  to  multi-linear  graded-encodings,  recently  instantiated  by  Garg  et  al.  [GGH13a] 
and  Coron  et  al.  [CLT13]. 
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4.  Set  a  =  g%Z[n 

5.  Define  and  output  the  secret  key  as 

skc  :=  (C,  {Kr}reC,M,  a) 

•  Enc(mpk,  x,  fi):  The  encryption  algorithm  takes  the  master  public  key  mpk,  an  index  x  £ 
{0, 1  }e  and  a  message  /j  £  {0, 1},  and  outputs  a  ciphertext  cx  defined  as  follows.  Choose  a 
random  element  s  in  7Lq.  Let  X  be  the  set  of  indices  i  such  that  X{  =  1 .  Let  70  =  ts  if  //  =  1, 
otherwise  let  70  be  a  randomly  chosen  element  from  G Output  ciphertext  as 

cx  :=  (  x,7o,  gs,  71  =  (  JJ  hiY 

'  i£X 


•  Dec(skc,  cx):  The  decryption  algorithm  takes  the  ciphertext  cx,  and  secret  key  sk^  and 
proceeds  as  follows.  If  C(x)  =  0,  it  outputs  _L.  Otherwise, 

1.  Let  X  be  the  set  of  indices  i  such  that  07  =  1.  For  each  input  wire  i  £  X,  using  the 
matrix  M  compute  gTi  (  fX/gx  Xi)  *  and  then 

9r2S  =  e(g8,gr*{l[hj)Zi)-e('y1,g-« 

V  i&x  '  v 

=  4as^fi{  n  hj)Y  -e((  n  hi)s^~zi) 

v  jex  '  v  jeX  J 

2.  Now,  for  each  gate  T  =  {u,  v ,  w)  where  w  is  a  wire  at  level  j,  (recursively  going  from  the 
input  to  the  output)  compute  gr-\ as  follows: 

-  If  T  is  an  OR  gate,  and  (^(x)^  =  1,  compute  g^i  =  e(i£p,  g'juS)  '  e(<7s,  IF p). 

-  Else  if  C(x)v  =  1,  compute  g^i  =  e{Kr '  e(gs,Fp). 

-  Else  if  T  is  an  AND  gate,  compute  g^\  =  e(iLp ,gjuS)  '  e(iLp,^s)  •  e(gs,K p). 

3.  If  C(x)  =  1,  then  the  user  computes  g'ks  for  the  output  wire.  Finally,  compute 

rr)-sr 

4.  Output  n  =  1  if  ijj  =  70,  otherwise  output  0. 

6.2  Correctness 

Claim  6.2.  For  all  active  wires  w  at  level  j  (that  is,  C(x)w  =  1)  the  user  holds  gffX . 

Proof.  Clearly,  the  base  case  is  satisfied  as  shown  above.  Now  consider  a  gate  T  =  ( u,v,w ).  If  g  is 
an  OR  gate  and  assume  C( x)u  =  1,  then 

9,7 1  =  e(K‘,g;-).e(g‘,K^ 

=  e(e‘~, Sj'’)  ■e(g‘,gT~-“-r'‘) 

=  e(g,gj)  ■e[g,9j)  ■e\9-,9j) 

32 


Approved  for  Public  Release;  Distribution  Unlimited. 

324 


The  case  when  C(x)v  =  1  is  similar.  Also,  if  g  is  an  AND  gate,  then 

9"fi  =  e(Kf,9;-*).e(A'?.s'").e(9‘,A?) 

=  e(s‘~,gj"‘)  •e(s‘*,9j"*)  ■e(g‘,sr.‘-a~T‘-i-T-) 

(  \Q'w'TuS  (  \b'ujVvS  /  \  SV yj  /  \  ClujTuS  bujTyS 

=  e{g,gj)  •e{g,gj)  •e{g,gj)  -e(0,#) 

/  \  CLyjVuS-\-byjVu  S  /  \STyj  /  \  CLyjTuS  bujVyS 

=  e\9i  9j)  -eyg,gj)  •e{g,gj) 

Hence,  if  C(x)  =  1,  the  user  computes  gskn  and  so 

i>  =  e(gs,a)  ■  grknS 

=  e(gs,g^)-gr 

=  9kS  =  tS  =  70 

if  m  =  1.  □ 


6.3  Security  Proof 

Assume  there  is  an  adversary  Adv*  that  breaks  the  security  of  the  ABE  scheme.  We  construct 
an  adversary  Adv  that  breaks  the  (k,  f)-Multi-linear  Diffie-Hellman  Exponent  Assumption.  The 
adversary  Adv  is  given  a  challenge 


y 


Cl 


■  -,g 


J+ 2 

,9 1 


,  •  •  •  ,9 


,gc\...,9Ck,P) 


j+ 1 


n2 


where  f3  is  either  gk  ~l~  or  a  random  element  of  Gk ■  The  adversary  invokes  Adv*  and  gets 
x*  as  the  challenge  index.  Let  X  be  the  set  of  indices  i  such  that  Xi  =  1.  The  adversary  will  ensure 
the  following  induction:  for  every  inactive  wire  w  at  depth  j,  rw  =  c\+1  ri2<i<i  c*  (plus  known 
randomness).  Hence,  for  all  input  wires  w,  rw  =  ck+1  (plus  known  randomness). 

We  now  define  simulated  experiments  which  Adv  will  be  using  to  break  the  assumption. 


Setup*(l/):  For  each  input  bit  i  ^  X,  choose  a  random  element  bi  in  Zg  and  implicitly  set  qi  = 
c\+1~l  +  6j.  For  each  i  6  X,  choose  a  random  qt  G  7Lq.  Let  g  =  g\  be  the  generator  of  the  first 

group.  For  all  i,  compute  hi  =  gqi.  Randomly  choose  7  and  let  t  =  gk  =  gk  1+7 

which  can  be  computed  from  the  challenge  component  by  repeated  pairing.  Set  the  master 
public  key 

mpk  :=  (hi,  ...,he,t) 
and  the  master  secret  key  as  msk  :=_L. 

Keygen*  (C,  msk):  The  key-generation  algorithm  takes  a  circuit  C  with  t  input  bits  and  a 
master  secret  key  msk  and  outputs  a  secret  key  skc  defined  as  follows. 


1.  For  all  i  €  X,  choose  randomly  rt  £  7Lq.  For  all  i  (f  X,  randomly  choose  £  7Lq  and 
implicitly  set  jy  =  c(+1  +  /*  (that  is,  we  embed  the  challenge  into  the  attributes  ^  X). 

2.  For  all  i  £  [£],  choose  pt  £  7Lq  at  random  and  implicitly  set  Zi  =  —c\  +  Pi- 
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3.  Compute  the  matrix  M : 


g  Zl 

9  Z2 

9  Z3 

. .  «rz* 

(hi)Zlgri 

(■ h i)Z2 

0 hi)z 3  • 

.  .  (/*!)* 

C h2)Z2gr 2 

(M*3  • 

•  •  (h2)z‘ 

(hs)zi 

(hz)Z2 

C h3)Z3gr 3  • 

■  ■  (hs)z‘ 

(■ ht)z 1 

(hif2 

(MZ3  • 

■■  {he)Zigr 

4.  We  now  argue  that  the  adversary  can  compute  every  entry  in  the  matrix  M . 

(a)  Entries  of  the  first  row  can  be  computed  by  g~Zi  =  gci~Pi  =  gc i  •  g~Pi,  where  pi  is 
known. 

(b)  Note  that  for  all  i  =  j  (i.e.  the  diagonal  entries).  If  i  £  X,  then 

{hi)Zi  ■  gTi  =  g(Cl+1_l+bi)(-<4+Pi)  .  gcl+1+fi  =  g<A+1~Zpi-bici+bipi+fi 


If  i  £  X,  then  qt,  Zi,  ri  are  all  known. 

(c)  Now,  consider  non-diagonal  entries  i  7^  j.  If  i  ^  X  and  j  £  X ,  then 


(h,r-  =  (/«-+».)-- .+» 


’  =g-c 


e+i-i+j 


■  9 


-bic[ 


„  .J+l-i 
nPjc  1 


which  can  be  computed  given  the  challenge  and  the  knowledge  of  bi,pj.  Also,  if 
i  £  X  and  j  £  X,  similarly 

(hi)z>  =  {gq^1+Pl  =  g ■  gq ™ 


can  be  computed  given  the  challenge  and  the  knowledge  of  qt ,  pj . 

5.  Consider  a  gate  E  =  (u,  v,  w )  where  wires  u,  v  are  at  depth  j  —  1  and  w  is  at  depth  j. 


(a)  If  T  is  an  OR  gate  and  C(x*)w  =  1,  then  values  rw,aw,bw  are  randomly  chosen 
from  Z q.  Otherwise,  we  implicitly  set  aw  =  Cj  +  dWlbw  =  Cj  +  kw,  where  dw,  kw  £  Z9 
are  randomly  chosen  and  Cj  is  the  value  a  part  of  the  challenge.  Also,  implicitly  set 
rw  =  <u+1  rW,  c*  +  ew,  where  ewZq  is  randomly  chosen.  Compute 


Kr  =  (Ky  =  ga ™ ,  K$  =  gb - ,  Ky  =  g] 
Note  that  in  the  case  C(x*)w  =  0, 


T  w  O'w'f'u 

j 


7WA  _  „rw—owrv\ 

’  Ar  —  9j  ) 


PW  dwPU 


C-!  1 1  Cj  +  ew  [cj  -|-  dw )  (c:  1 1  Ci  -P  nu) 

2  <i<j  2<i<j—\ 

CjPlu  dug  {cy  |  |  Ci)  du^Hu  ~P  Cuj 
2<i<j-l 


34 


Approved  for  Public  Release;  Distribution  Unlimited. 

326 


Hence,  component  K p  can  be  computed  by  pairing  j  elements  from  the  challenge: 
gCl ,  gC2 , . . . ,  gc> ~ 1 .  Similarly,  for  term  /ip. 


(b)  Else  if  T  is  an  AND  gate  and  C(x*)w  =  1,  then  values  rw,aw,bw  are  randomly 
chosen  from  Zq.  And  the  adversary  computes 

Kr  =  (A'f  =  gaw,Kl  =  gbw ,  Ap  =  gry’~awru~bwrv ) 

Otherwise,  if  C(x*)u  =  0,  then  implicitly  set  rw  =  c{+1  <%<j  ci  Xew,  dw  =  Cj  +  dw 

where  ew,dw  are  randomly  chosen.  Also,  choose  bw  at  random.  Again,  the  adversary 
can  compute 

Kr  =  (A'f  =  gaw,Kr  =  gbw,  =  grw-awru-bwrv ) 

Note  that, 

rw  ciwtu  bwvv  —  c ^  1 1  ^  -(-  ew  [c-j  A  dw^j  ( c ^  1 1  7  nu^j  bwvv 

2  <i<j  2<*<j-l 

—  Cw  CjHu  dw  1 1  Cj'j  dwTiu  bwvv 

2<i<j-l 

Hence,  A'p  can  be  computed  by  the  adversary  by  applying  j  pairings  to  the  chal¬ 
lenge  components  gCl,g^,gC2,  ■  ■  ■  ,5fCi_1  and  using  the  other  known  randomness  com¬ 
ponents. 


The  adversary  performs  the  symmetric  operations  if  C(x*)v  =  0. 

6.  Set  a  =  g^Z[n •  Note  that  since  C(x*)  =  0  the  component  rn  embeds  parts  challenge 
into  it.  Hence,  a  can  be  computed  by  the  adversary  due  to  cancellation  in  the  exponent: 

a  -  rn  =  d[+1  Cj  +  7  -  c(+1  JJ  cj  +  en  =  7  +  en 

2<i<k-l  2<i<k-l 

7.  Define  and  output  the  secret  key  as 

skc  :=  (C,  {Kr}geC,  °) 

Enc*(mpk,  x*,  rn):  The  encryption  algorithm  takes  the  master  public  key  mpk,  an  index  x* 
and  a  message  m,  and  outputs  a  ciphertext  ctr*  defined  as  follows.  Let  X  be  the  set  of  indices 
i  such  that  x*  =  i.  Implicitly  let  s  =  Ck ■  Let  70  =  7  =  /3  •  g1^  ■  Output  ciphertext  as 

ctx  :=  (x,  70,  gCk,  71  =  (  JJ  hi)Ck 
'  iex 

where  b  is  a  randomly  chosen  bit.  Note  that  (  fX-eX  can  computed  given  the  challenge 

7+1  p[  a 

component  gCk  and  known  randomness  qi  for  i  €  X.  If  f3  =  g Z  2<*<fc  ^  then, 

P-aF  = 


7+1 


C 9k 1 


n2<i<fe-l 


,7  \ck 


7+i 


(9k1 

tCk  =  ts 


9k) 

n2<i<fe_i  +7\  ck 


T 
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which  corresponds  to  an  encryption  of  1.  Otherwise,  if  (3  is  a  randomly  chosen  in  Gk ,  this 
corresponds  to  an  encryption  of  0. 


The  adversary  Adv  uses  the  above  simulated  algorithms  to  answer  the  queries  to  Adv* .  If  Adv* 


returns  m  =  1 ,  then  Adv  outputs  that  (3  =  gk' 
chosen  in  the  target. 


■e+1  n2 


\  Otherwise,  it  outputs  that  (3  is  randomly 


7  Applications  and  Extensions 

7.1  Single-Key  Functional  Encryption  and  Reusable  Garbled  Circuits 

Goldwasser,  Kalai,  Popa,  Vaikuntanathan  and  Zeldovich  showed  how  to  obtain  a  Single-Key  Func¬ 
tional  Encryption  (SKFE)  and  Reusable  Garbled  Circuits  from:  (1)  Attribute-based  Encryption,  (2) 
Fully-Homomorphic  Encryption  and  (3)  “one-time”  Garbled  Circuits  [GKP+13b],  In  this  section 
we  show  what  we  gain  in  efficiency  in  the  secret  key  and  ciphertext  sizes  for  these  two  construction 
by  using  our  ABE  schemes. 

Theorem  7.1  ([GKP+13b]).  There  is  a  (fully /selectively  secure)  single-key  functional  encryption 
scheme  F£  for  any  class  of  circuits  C  that  take  £  bits  of  input  and  produce  a  one-bit.  output,  assuming 
the  existence  of  (1)  C -homomorphic  encryption  scheme,  (2)  a  (fully /selectively)  secure  ABE  scheme 
for  a  related  class  of  predicates  and  (3)  Yao’s  Garbling  Scheme,  where: 

1.  The  size  of  the  secret  key  is  2  •  a  ■  abe.keysize,  where  abe.keysize  is  the  size  of  the  ABE  key 
for  circuit  performing  homomorphic  evaluation  of  C  and  outputting  a  bit  of  the  resulting 
ciphertext. 

2.  The  size  of  the  ciphertext  is  2  •  a  ■  abe.ctsize(T  •  a  +  7)  +  poly(A,  a,  (3) 

where  ( a ,  (3, 7)  denote  the  sizes  of  the  FHE  (ciphertext,  secret  key,  public  key),  respectively,  abe.keysize, 
abe.ctsize(&:)  are  the  size  of  ABE  secret  key,  ciphertext  on  k-bit  attribute  vector  and  A  is  the  security 
parameter. 

Since  FHE  (and  Yao’s  Garbled  Circuits)  can  also  be  instantiated  assuming  the  sub-exponential 
hardness  of  LWE  ([BV11],  [BGV12]),  we  obtain  the  following  corollaries. 

Corollary  7.2.  Combining  our  short  secret  key  ABE  construction  ( Theorem- f. 4)  and  Theorem- 
7.1,  we  obtain  a  single-key  functional  encryption  scheme  for  a  circuit  class  C  with  depth  at  most 
dm«,  where  the  secret  key  size  is  some  poly(cimax,  A)  and  A  is  the  security  parameter. 

To  obtain  a  short  ciphertext  for  functional  encryption  scheme,  we  need  another  observation. 
There  exists  a  fully-homonrorphic  encryption  scheme  where  ciphertext  encrypting  k  bits  of  input 
is  of  size  k  +  poly  (A),  where  A  is  the  security  parameter.  We  refer  the  reader  to  the  full  version  for 
further  details. 

Corollary  7.3.  Combining  the  above  observation,  our  short  ciphertext  ABE  construction  (Theorem- 
6.1)  and  Theorem-7.1,  we  obtain  a  single-key  functional  encryption  scheme  for  any  circuit  class  C 
with  depth  at  most  dmax  and  £  bit  inputs,  where  the  size  of  the  ciphertext  is  £  +  poly(dmax,  A)  and 
A  is  the  security  parameter. 
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Next,  we  apply  our  results  to  get  the  optimal  construction  of  reusable  garbled  circuits. 

Theorem  7.4  ([GKP+13b]).  There  exists  a  reusable  garbling  scheme  for  any  class  of  circuits  C  that 
take  i  bits  of  input,  assuming  the  existence  (1)  symmetric- encryption  algorithm,  (2)  a  single-key 
functional  encryption  for  C,  where: 

1.  The  size  of  the  secret  key  is  \C\  +  fe.keysize  +  poly  (A),  where  fe.keysize  is  the  size  of  the  FE 
key  for  circuit  performing  symmetric-key  decryption  and  evaluation  of  C . 

2.  The  size  of  the  ciphertext  is  fe.ctsize(A  +  £) 

where  fe.ctsize(A  +  £)  is  the  size  of  FE  ciphertext  on  A  +  t-bit  input. 

Corollary  7.5.  From  Corollary-7.2  and  Theorem-7. 4,  we  obtain  a  reusable  garbled  circuits  scheme 
for  any  class  of  polynomial- size  circuits  with  depth  at  most  dm ax,  where  the  secret  key  size  is 
\C\  +  poly(dmax,  A). 

Corollary  7.6.  From  Corollary-7.3  and  Theorem-7. 4,  we  obtain  a  reusable  garbled  circuits  scheme 
for  any  class  of  polynomial-size  circuits  with  depth  at  most  dm ax  and  l  bit  inputs,  where  the  cipher- 
text  size  is  l  +  poly(dmax,  A). 

8  Conclusions  and  open  problems 

We  presented  an  ABE  for  arithmetic  circuits  with  short  secret  keys  whose  security  is  based  on  the 
LWE  problem.  At  the  heart  of  our  construction  is  a  method  for  transforming  a  noisy  vector  of 
the  form  c  =  (A|xiG  +  Bi|  •  •  •  \x(G  +  B^)Ts  +  e  into  a  vector  (A|yG  +  Bj)ts  +  ej  where 
y  =  f{x i, . . .  ,xf)  and  ey  is  not  much  longer  than  e.  The  short  decryption  key  skj  provides  a  way 
to  decrypt  when  y  =  0.  We  refer  to  this  property  as  a  public-key  homomorphism  and  expect  it  to 
find  other  applications. 

Natural  open  problems  that  remain  are  a  way  to  provide  adaptive  security  from  LWE  with  a 
polynomial-time  reduction.  It  would  also  be  useful  to  construct  an  efficient  ABE  for  arithmetic 
circuits  where  multiplication  gates  can  handle  inputs  as  large  as  the  modulus  q. 
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Abstract 

Garbled  circuits,  introduced  by  Yao  in  the  mid  80s,  allow  computing  a  function  /  on  an  input  x 
without  leaking  anything  about  f  or  x  besides  f(x).  Garbled  circuits  found  numerous  applications,  but 
every  known  construction  suffers  from  one  limitation:  it  offers  no  security  if  used  on  multiple  inputs  x. 
In  this  paper,  we  construct  for  the  first  time  reusable  garbled  circuits.  The  key  building  block  is  a  new 
succinct  single-key  functional  encryption  scheme. 

Functional  encryption  is  an  ambitious  primitive:  given  an  encryption  Enc(;r)  of  a  value  x,  and  a  secret 
key  sky  for  a  function  /,  anyone  can  compute  f{x)  without  learning  any  other  information  about  x.  We 
construct,  for  the  first  time,  a  succinct  functional  encryption  scheme  for  any  polynomial-time  function 
/  where  succinctness  means  that  the  ciphertext  size  does  not  grow  with  the  size  of  the  circuit  for  /,  but 
only  with  its  depth.  The  security  of  our  construction  is  based  on  the  intractability  of  the  Learning  with 
Errors  (LWE)  problem  and  holds  as  long  as  an  adversary  has  access  to  a  single  key  sk /  (or  even  an  a  priori 
bounded  number  of  keys  for  different  functions). 

Building  on  our  succinct  single -key  functional  encryption  scheme,  we  show  several  new  applications 
in  addition  to  reusable  garbled  circuits,  such  as  a  paradigm  for  general  function  obfuscation  which  we  call 
token-based  obfuscation,  homomorphic  encryption  for  a  class  of  Turing  machines  where  the  evaluation 
runs  in  input-specific  time  rather  than  worst-case  time,  and  a  scheme  for  delegating  computation  which  is 
publicly  verifiable  and  maintains  the  privacy  of  the  computation. 
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1  Introduction 


Breaches  of  confidential  data  are  commonplace:  personal  information  of  millions  of  people,  such  as  financial, 
medical,  customer,  and  employee  data,  is  disclosed  every  year  [Pril2,  Ver].  These  disclosures  often  happen 
because  untrustworthy  systems  handle  confidential  data.  As  applications  move  to  cloud  computing  platforms, 
ensuring  data  confidentiality  on  third-party  servers  that  may  be  untrustworthy  becomes  a  top  concern  [Davl2]. 

A  powerful  technique  for  preventing  data  disclosures  without  having  to  ensure  the  server  is  trustworthy  is 
to  encrypt  the  data  provided  to  the  server  and  then  compute  on  the  encrypted  data.  Thus,  if  the  server  does 
not  have  access  to  the  plaintext  or  to  the  decryption  key,  it  will  be  unable  to  disclose  confidential  data.  The 
big  leap  of  the  last  decade  towards  computing  over  encrypted  data  has  been  fully  homomorphic  encryption 
(FHE)  [Gen09,  DGHV10,  SSlOb,  BVllb,  BVlla,  Vaill,  BGV12,  GHS12a,  GHS12b,  LTV  12,  Bral2], 

A  fundamental  question  with  this  approach  is:  who  can  decrypt  the  results  of  computations  on  encrypted 
data  ?  If  data  is  encrypted  using  FHE,  anyone  can  perform  a  computation  on  it  (with  knowledge  of  the  public 
key),  while  the  result  of  the  computation  can  be  decrypted  only  using  the  secret  key.  However,  the  secret 
key  allows  decrypting  all  data  encrypted  under  the  corresponding  public  key.  This  model  suffices  for  certain 
applications,  but  it  rules  out  a  large  class  of  applications  in  which  the  party  computing  on  the  encrypted  data 
needs  to  determine  the  computation  result  on  its  own.  For  example,  spam  filters  should  be  able  to  determine 
if  an  encrypted  email  is  spam  and  discard  it,  without  learning  anything  else  about  the  email’s  content.  With 
FHE,  the  spam  filter  can  run  the  spam  detection  algorithm  homomorphically  on  an  encrypted  email  and 
obtain  an  encrypted  result;  however,  it  cannot  tell  if  the  algorithm  deems  the  email  spam  or  not.  Having  the 
data  owner  provide  the  decryption  key  to  the  spam  filter  is  not  a  solution:  the  spam  filter  can  now  decrypt  all 
the  emails  as  well ! 

A  promising  approach  to  this  problem  is  functional  encryption  [SW05,  GPSW06,  KSW08,  LOS+10, 
OTIO,  O’NIO,  BSW].  In  functional  encryption,  anyone  can  encrypt  data  with  a  master  public  key  mpk 
and  the  holder  of  the  master  secret  key  can  provide  keys  for  functions,  for  example  sk  f  for  function  /. 
Anyone  with  access  to  a  key  skj  and  a  ciphertext  c  for  x  can  obtain  the  result  of  the  computation  in  plaintext 
form:  f(x).  The  security  of  FE  requires  that  the  adversary  does  not  learn  anything  about  x,  other  than  the 
computation  result  f(x).  It  is  easy  to  see,  for  example,  how  to  solve  the  above  spam  filter  problem  with  a 
functional  encryption  scheme.  A  user  Alice  publishes  her  public  key  online  and  gives  the  spam  filter  a  key  for 
the  filtering  function.  Users  sending  email  to  Alice  will  encrypt  the  email  with  her  public  key.  The  spam  filter 
can  now  determine  by  itself,  for  each  email,  whether  to  store  it  in  Alice’s  mailbox  or  to  discard  it  as  spam, 
without  learning  anything  about  Alice’s  email  (except  for  whether  it  was  deemed  spam  or  not). 

The  recent  impossibility  result  of  Agrawal,  Gorbunov,  Vaikuntanathan  and  Wee  [AGVW12]  says  that 
functional  encryption  schemes  where  an  adversary  can  receive  an  arbitrary  number  of  keys  for  general 
functions  are  impossible  for  a  natural  simulation-based  security  definition;1  stated  differently,  any  functional 
encryption  scheme  that  can  securely  provide  q  keys  for  general  functions  must  have  ciphertexts  growing 
linearly  in  q.  Since  any  scheme  that  can  securely  provide  a  single  key  yields  a  scheme  that  can  securely 
provide  q  keys  by  repetition,  the  question  becomes  if  one  can  construct  a  functional  encryption  scheme  that 
can  securely  provide  a  single  key  for  a  general  function  under  this  simulation-based  security  definition.  Such 
a  single-key  functional  encryption  scheme  is  a  powerful  tool,  enabling  the  applications  we  will  discuss. 

In  this  paper,  we  construct  the  first  single-key  functional  encryption  scheme  for  a  general  function  that 
is  succinct :  the  size  of  the  ciphertext  grows  with  the  depth  d  of  the  circuit  computing  the  function  and  is 

'This  impossibility  result  holds  for  non-adaptive  simulation-based  security,  which  is  weaker  than  some  existing  simulation-based 
definitions  such  as  adaptive  security.  Nevertheless,  this  result  does  not  carry  over  to  indistinguishability-based  definitions,  for  which 
possibility  or  impossibility  is  currently  an  open  question.  In  this  paper,  we  are  interested  in  achieving  the  simulation-based  definition. 
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independent  of  the  size  of  the  circuit.  Up  until  our  work,  the  known  constructions  of  functional  encryption 
were  quite  limited.  First,  the  works  of  Boneh  and  Waters  [BW07],  Katz,  Sahai  and  Waters  [KSW08],  Agrawal, 
Freeman  and  Vaikuntanathan  [AFV11],  and  Shen,  Shi  and  Waters  [SSW09]  show  functional  encryption 
schemes  (based  on  different  assumptions)  for  a  very  simple  function:  the  inner  product  function  fy  (or  a 
variant  of  it),  that  on  input  x  outputs  1  if  and  only  if  (x,  y )  =  0.2  These  works  do  not  shed  light  on  how  to 
extend  beyond  inner  products.  Second,  Sahai  and  Seyalioglu  [SSlOa]  and  Gorbunov,  Vaikuntanathan  and 
Wee  [GVW12]  provide  a  construction  for  single-key  functional  encryption  for  one  general  function  with  a 
non-succinct  ciphertext  size  (at  least  the  size  of  a  universal  circuit  computing  the  functions  allowed  by  the 
scheme3).  [SSlOa]  was  the  first  to  introduce  the  idea  of  single-key  functional  encryption  and  [GVW12]  also 
extends  it  to  allow  the  adversary  to  see  secret  keys  for  q  functions  of  his  choice,  by  increasing  the  size  of 
the  ciphertexts  linearly  with  q  where  q  is  known  in  advance.4  We  emphasize  that  the  non-succinctness  of 
these  schemes  is  particularly  undesirable  and  it  precludes  many  useful  applications  of  functional  encryption 
(e.g.,  delegation,  reusable  garbled  circuits,  FFIE  for  Turing  machines),  which  we  achieve.  For  example,  in 
the  setting  of  delegation,  a  data  owner  wants  to  delegate  her  computation  to  a  cloud,  but  the  mere  effort 
of  encrypting  the  data  is  greater  than  computing  the  circuit  directly,  so  the  owner  is  better  off  doing  the 
computation  herself. 

We  remark  that  functional  encryption  (FE)  arises  from,  and  generalizes,  a  beautiful  sequence  of  papers  on 
attribute-based  encryption  (including  [SW05,  GPSW06,  BSW07,  GJPS08,  LOS+IO,  Watll,  Watl2,  LW12]), 
and  more  generally  predicate  encryption  (including  [BW07,  KSW08,  OT09]).  We  denote  by  attribute -based 
encryption  (ABE)  an  encryption  scheme  where  each  ciphertext  c  of  an  underlying  plaintext  message  m 
is  tagged  with  a  public  attribute  x.  Each  secret  key  sk  f  is  associated  with  a  predicate  /.  Given  a  key  sk  f 
and  a  ciphertext  c  =  Enc(x,  m),  the  message  m  can  be  recovered  if  and  only  if  f(x)  is  true.  Whether  the 
message  gets  recovered  or  not,  the  attribute  x  is  always  public;  in  other  words,  the  input  to  the  computation 
off,  x,  leaks  with  attribute-based  encryption,  whereas  with  functional  encryption,  nothing  leaks  about  x 
other  than  f(x).  Therefore,  attribute-based  encryption  offers  qualitatively  weaker  security  than  functional 
encryption.  Attribute-based  encryption  schemes  were  also  called  public-index  predicate  encryption  schemes 
in  the  literature  [BSW].  Boneh  and  Waters  [BW07]  introduced  the  idea  of  not  leaking  the  attribute  as  in 
functional  encryption  (also  called  private-index  functional  encryption). 

Very  recently,  the  landscape  of  attribute-based  encryption  has  significantly  improved  with  the  works  of 
Gorbunov,  Vaikuntanathan  and  Wee  [GVW13],  and  Sahai  and  Waters  [SW12],  who  construct  attribute-based 
encryption  schemes  for  general  functions,  and  are  a  building  block  for  our  results. 

1.1  Our  Results 

Our  main  result  is  the  construction  of  a  succinct  single-key  functional  encryption  scheme  for  general  functions . 
We  demonstrate  the  power  of  this  result  by  showing  that  it  can  be  used  to  address  the  long-standing  open 
problem  in  cryptography  of  reusing  garbled  circuits,  as  well  as  making  progress  on  other  open  problems. 

We  can  state  our  main  result  as  a  reduction  from  any  attribute-based  encryption  and  any  fully 
homomorphic  encryption  scheme.  In  particular,  we  show  how  to  construct  a  (single-key  and  succinct) 
functional  encryption  scheme  for  any  class  of  functions  T  by  using  a  homomorphic  encryption  scheme 
which  can  do  homomorphic  evaluations  for  any  function  in  T  and  an  attribute-based  encryption  scheme  for  a 

2  These  inner-product  schemes  allow  an  arbitrary  number  of  keys. 

3  A  universal  circuit  T  is  a  circuit  that  takes  as  input  a  description  of  a  circuit  /  and  an  input  string  x,  runs  /  on  x  and  outputs  f(x). 

4Namely,  parameter  q  (the  maximum  number  of  keys  allowed)  is  fixed  during  setup,  and  the  ciphertexts  size  grows  linearly 

with  q. 
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“slightly  larger”  class  of  functions  T'\  T'  is  the  class  of  functions  such  that  for  any  function  /  E  T .  the  class 
T'  contains  the  function  computing  the  z-th  bit  of  the  FHE  evaluation  of  /. 

Theorem  1.1  (Informal).  There  is  a  single-key  functional  encryption  scheme  with  succinct  ciphertexts 
(independent  of  circuit  size)  for  the  class  of  functions  T  assuming  the  existence  of 

•  a  fully  homomorphic  encryption  scheme  for  the  class  of  functions  T,  and 

•  a  (single-key)  attribute-based  encryption  scheme  for  a  class  of  predicates  T'  (as  above). 

The  literature  has  considered  two  types  of  security  for  ABE  and  FE:  selective  and  full  security  (see 
Sec.  2.6).  We  show  that  if  the  underlying  ABE  scheme  is  selectively  or  fully  secure,  our  resulting  FE  scheme 
is  selectively  or  fully  secure,  respectively. 

Two  very  recent  results  achieve  attribute-based  encryption  for  general  functions.  Gorbunov,  Vaikun- 
tanathan  and  Wee  [GVW13]  achieve  ABE  for  general  circuits  of  bounded  depth  based  on  the  subexponential 
Learning  With  Errors  (LWE)  intractability  assumption.  Sahai  and  Waters  [SW12]  achieve  ABE  for  general 
circuits  under  the  less  standard  k-Multilinear  Decisional  Difhe-Hellman  (see  [SW12]  for  more  details); 
however,  when  instantiated  with  the  only  construction  of  multilinear  maps  currently  known  [GGH12],  they 
also  achieve  ABE  for  general  circuits  of  bounded  depth.  Our  scheme  can  be  instantiated  with  any  of  these 
schemes  because  our  result  is  a  reduction. 

When  coupling  our  theorem  with  the  ABE  result  of  [GVW13]  and  the  FHE  scheme  of  [BV  11a,  BGV 12], 
we  obtain: 

Corollary  1.2  (Informal).  Under  the  subexponential  LWE  assumption,  for  any  depth  d,  there  is  a  single-key 
functional  encryption  scheme  for  general  functions  computable  by  circuits  of  depth  d.  The  scheme  has 
succinct  ciphertexts:  their  size  is  polynomial  in  the  depth  d  (and  does  not  depend  on  the  circuit  size). 

This  corollary  holds  for  both  selective  and  full  security  definitions,  since  [GVW13]  constructs  both 
selectively  secure  and  fully  secure  ABE  schemes.  However,  the  parameters  of  the  LWE  assumption  are 
different  in  the  two  cases  (Sec.  2.3). 

Another  corollary  of  our  theorem  is  that,  given  a  universal  ABE  scheme  (the  scheme  is  for  all  classes  of 
circuits,  independent  of  depth)  and  any  fully  homomorphic  encryption  scheme,  there  is  a  universal  functional 
encryption  scheme  whose  ciphertext  size  does  not  depend  on  the  circuit’s  size  or  even  the  circuit’s  depth. 

As  mentioned,  extending  our  scheme  to  be  secure  against  an  adversary  who  receives  q  keys  is 
straightforward.  The  basic  idea  is  simply  to  repeat  the  scheme  q  times  in  parallel.  This  strategy  results  in  the 
ciphertext  size  growing  linearly  with  q,  which  is  unavoidable  for  the  simulation-based  security  definition 
we  consider,  because  of  the  discussed  impossibility  result  [AGVW12].  Stated  in  these  terms,  our  scheme  is 
also  a  ^/-collusion-resistant  functional  encryption  scheme  like  [GVW12],  but  our  scheme’s  ciphertexts  are 
succinct,  whereas  [GVW12]’s  are  proportional  to  the  circuit  size. 

From  now  on,  we  restrict  our  attention  to  the  single-key  case,  which  is  the  essence  of  the  new  scheme. 
In  the  body  of  the  paper  we  often  omit  the  single-key  or  succinct  adjectives  and  whenever  we  refer  to  a 
functional  encryption  scheme,  we  mean  a  succinct  single-key  functional  encryption  scheme. 

We  next  show  how  to  use  our  main  theorem  to  make  significant  progress  on  some  of  the  most  intriguing 
open  questions  in  cryptography  today:  the  reusability  of  garbled  circuits,  a  new  paradigm  for  general  function 
obfuscation,  as  well  as  applications  to  fully  homomorphic  encryption  with  evaluation  running  in  input-specific 
time  rather  than  in  worst-case  time,  and  to  publicly  verifiable  delegation.  Succinctness  plays  a  central  role  in 
these  applications  and  they  would  not  be  possible  without  it. 
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1.1.1  Main  Application:  Reusable  Garbled  Circuits 

A  circuit  garbling  scheme,  which  has  been  one  of  the  most  useful  primitives  in  modern  cryptography,  is  a 
construction  originally  suggested  by  Yao  in  the  80s  in  the  context  of  secure  two-party  computation  [Yao82]. 
This  construction  relies  on  the  existence  of  a  one-way  function  to  encode  an  arbitrary  circuit  C  (“garbling” 
the  circuit)  and  then  encode  any  input  x  to  the  circuit  (where  the  size  of  the  encoding  is  short,  namely,  it  does 
not  grow  with  the  size  of  the  circuit  C);  a  party  given  the  garbling  of  C  and  the  encoding  of  x  can  run  the 
garbled  circuit  on  the  encoded  x  and  obtain  C(x).  The  most  basic  properties  of  garbled  circuits  are  circuit 
and  input  privacy:  an  adversary  learns  nothing  about  the  circuit  C  or  the  input  x  other  than  the  result  C(x). 

Over  the  years,  garbled  circuits  and  variants  thereof  have  found  many  applications:  two  party 
secure  protocols  [Yao86],  multi-party  secure  protocols  [GMW87],  one-time  programs  [GKR08],  KDM- 
security  [BHHI10],  verifiable  computation  [GGP10],  homomorphic  computations  [GHV10]  and  others. 
However,  a  basic  limitation  of  the  original  construction  remains:  it  offers  only  one-time  usage.  Specifically, 
providing  an  encoding  of  more  than  one  input  compromises  the  secrecy  of  the  circuit.  Thus,  evaluating  the 
circuit  C  on  any  new  input  requires  an  entirely  new  garbling  of  the  circuit. 

The  problem  of  reusing  garbled  circuits  has  been  open  for  30  years.  Using  our  newly  constructed  succinct 
functional  encryption  scheme  we  are  now  able  to  build  reusable  garbled  circuits  that  achieve  circuit  and 
input  privacy,  a  garbled  circuit  for  any  computation  of  depth  d  (where  the  parameters  of  the  scheme  depend 
on  d),  which  can  be  run  on  any  polynomial  number  of  inputs  without  compromising  the  privacy  of  the  circuit 
or  the  input.  More  generally,  we  prove  the  following: 

Theorem  1.3  (Informal).  There  exists  a  polynomial  p,  such  that  for  any  depth  function  d,  there  is  a  reusable 
circuit  garbling  scheme  for  the  class  of  all  arithmetic  circuits  of  depth  d,  assuming  there  is  a  single-key 
functional  encryption  scheme  for  all  arithmetic  circuits  of  depth  p(d).5 

Corollary  1.4  (Informal).  Under  the  subexponential  LWE  assumption,  for  any  depth  function  d,  there  exists 
a  reusable  circuit  garbling  scheme  with  circuit  and  input  privacy  for  all  arithmetic  circuits  of  depth  d. 

Reusability  of  garbled  circuits  (for  depth-bounded  computations)  implies  a  multitude  of  applications 
as  evidenced  by  the  research  on  garbled  circuits  over  the  last  30  years.  We  note  that  for  many  of  these 
applications,  depth-bounded  computation  suffices.  We  also  note  that  some  applications  do  not  require  circuit 
privacy.  In  that  situation,  our  succinct  single-key  functional  encryption  scheme  already  provides  reusable 
garbled  circuits  with  input-privacy  and,  moreover,  the  encoding  of  the  input  is  a  public-key  algorithm. 

We  remark  that  [GVW13]  gives  a  restricted  form  of  reusable  circuit  garbling:  it  provides  authenticity  of 
the  circuit  output,  but  does  not  provide  input  privacy  or  circuit  privacy,  as  we  do  here.  Informally,  authenticity 
means  that  an  adversary  cannot  obtain  a  different  yet  legitimate  result  from  a  garbled  circuit.  We  note  that 
most  of  the  original  garbling  circuit  applications  (e.g.,  two  party  secure  protocols  [Yao 8 6],  multi-party  secure 
protocols  [GMW87])  rely  on  the  privacy  of  the  input  or  of  the  circuit. 

One  of  the  more  intriguing  applications  of  reusable  garbled  circuits  pertains  to  a  new  model  for  program 
obfuscation,  token-based  obfuscation,  which  we  discuss  next. 

1.1.2  Token-Based  Obfuscation:  a  New  Way  to  Circumvent  Obfuscation  Impossibility  Results 

Program  obfuscation  is  the  process  of  taking  a  program  as  input,  and  producing  a  functionally  equivalent  but 
different  program,  so  that  the  new  program  reveals  no  information  to  a  computationally  bounded  adversary 

Tor  this  application  we  need  to  assume  that  the  underlying  functional  encryption  scheme  is  fully  secure  (as  opposed  to  only 
selectively  secure). 
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about  the  original  program,  beyond  what  “black  box  access”  to  the  program  reveals.  Whereas  ad-hoc  program 
obfuscators  are  built  routinely,  and  are  used  in  practice  as  the  main  software-based  technique  to  fight  reverse 
engineering  of  programs,  in  2000  Barak  et  al.  [BGI+01],  followed  by  Goldwasser  and  Kalai  [GK05],  proved 
that  program  obfuscation  for  general  functions  is  impossible  using  software  alone,  with  respect  to  several 
strong  but  natural  definitions  of  obfuscation. 

The  results  of  [  BGI+0 1 ,  GK05]  mean  that  there  exist  functions  which  cannot  be  obfuscated.  Still,  the  need 
to  obfuscate  or  “garble”  programs  remains.  A  long  array  of  works  attempts  to  circumvent  the  impossibility 
results  in  various  ways,  including  adding  secure  hardware  components  [GKR08,  GIS+ 10,  BCG+ 1 1],  relaxing 
the  definition  of  security  [GR07],  or  considering  only  specific  functions  [Wee05,  CKVW10]. 

The  problem  of  obfuscation  seems  intimately  related  to  the  “garbled  circuit”  problem  where  given  a 
garbling  of  a  circuit  C  and  an  encoding  for  an  input  x,  one  can  learn  the  result  of  C(x)  but  nothing  else.  One 
cannot  help  but  wonder  whether  the  new  reusable  garbling  scheme  would  immediately  imply  a  solution  for 
the  obfuscation  problem  (which  we  know  is  impossible).  Consider  an  example  illustrating  this  intuition:  a 
vendor  obfuscates  her  program  (circuit)  by  garbling  it  and  then  gives  the  garbled  circuit  to  a  customer.  In 
order  to  run  the  program  on  (multiple)  inputs  xt,  the  customer  simply  encodes  the  inputs  according  to  the 
garbling  scheme  and  thus  is  able  to  compute  C(xi).  Unfortunately,  although  close,  this  scenario  does  not 
work  with  reusable  garbled  circuits.  The  key  observation  is  that  encoding  x  requires  knowledge  of  a  secret 
key!  Thus,  an  adversary  cannot  produce  encoded  inputs  on  its  own,  and  needs  to  obtain  “tokens”  in  the  form 
of  encrypted  inputs  from  the  data  owner. 

Instead,  we  propose  a  new  token-based  model  for  obfuscation.  The  idea  is  for  a  vendor  to  obfuscate  an 
arbitrary  program  as  well  as  provide  tokens  representing  rights  to  run  this  program  on  specific  inputs.  For 
example,  consider  that  some  researchers  want  to  obtain  statistics  out  of  an  obfuscated  database  containing 
sensitive  information  (the  obfuscated  program  is  the  program  running  queries  with  the  secret  database 
hardcoded  in  it).  Whenever  the  researchers  want  to  input  a  query  x  to  this  program,  they  need  to  obtain 
a  token  for  x  from  the  program  owner.  To  produce  each  token,  the  program  owner  does  little  work.  The 
researchers  perform  the  bulk  of  the  computation  by  themselves  using  the  token  and  obtain  the  computation 
result  without  further  interaction  with  the  owner. 

Claim  1.5.  Assuming  a  reusable  garbling  scheme  for  a  class  of  circuits,  there  is  a  token-based  obfuscation 
scheme  for  the  same  class  of  circuits. 

Corollary  1.6  (Informal).  Under  the  subexponential  LWE  assumption,  for  any  depth  function  d,  there  exists 
a  token-based  obfuscation  scheme  for  all  arithmetic  circuits  of  depth  d. 

It  is  worthwhile  to  compare  the  token-based  obfuscation  model  with  previous  work  addressing  obfuscation 
using  trusted-hardware  components  such  as  [GIS+10,  BCG+11].  In  these  schemes,  after  a  user  finishes 
executing  the  obfuscated  program  on  an  input,  the  user  needs  to  interact  with  the  trusted  hardware  to  obtain 
the  decryption  of  the  result;  in  comparison,  in  our  scheme,  the  user  needs  to  obtain  only  a  token  before  the 
computation  begins,  and  can  then  run  the  computation  and  obtain  the  decrypted  result  by  herself. 

1.1.3  Computing  on  Encrypted  Data  in  Input-Specific  Time 

All  current  FHE  constructions  work  according  to  the  following  template.  For  a  fixed  input  size,  a  program  is 
transformed  into  an  arithmetic  circuit;  homomotphic  evaluation  happens  gate  by  gate  on  this  circuit.  The 
size  of  the  circuit  reflects  the  worst-case  running  time  of  the  program:  for  example,  every  loop  is  unfolded 
into  the  maximum  number  of  steps  corresponding  to  the  worst-case  input,  and  each  function  is  called  the 
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maximum  number  of  times  possible.  Such  a  circuit  can  be  potentially  very  large,  despite  the  fact  that  there 
could  be  many  inputs  on  which  the  execution  is  short. 

A  fascinating  open  question  has  been  whether  it  is  possible  to  perform  FHE  following  a  Turing-machine- 
like  template:  the  computation  time  is  input-specific  and  can  terminate  earlier  depending  on  the  input  at  hand. 
Of  course,  to  compute  in  input-specific  time,  the  running  time  must  unavoidably  leak  to  the  evaluator,  but 
such  leakage  is  acceptable  in  certain  applications  and  the  efficiency  gains  can  be  significant;  therefore,  such  a 
scheme  provides  weaker  security  than  fully  homomorphic  encryption  (namely,  nothing  other  than  the  running 
time  leaks  about  the  input),  at  the  increase  of  efficiency. 

Using  our  functional  encryption  scheme,  we  show  how  to  achieve  this  goal.  The  idea  is  to  use  the  scheme 
to  test  when  an  encrypted  circuit  computation  has  terminated,  so  the  computation  can  stop  earlier  on  certain 
inputs.  We  overview  our  technique  in  Sec.  1.2. 

Because  the  ciphertexts  in  our  functional  encryption  scheme  grow  with  the  depth  of  the  circuits,  such  a 
scheme  is  useful  only  for  Turing  machines  that  can  be  expressed  as  circuits  of  depth  at  most  din)  for  inputs 
of  size  n.  We  refer  to  such  Turing  machines  as  d-depth-bounded  and  define  them  in  Sec.  6. 

Theorem  1.7.  There  is  a  scheme  for  evaluating  Turing  machines  on  encrypted  inputs  in  input-specific  time 
for  any  class  of  d-depth-bounded  Turing  machines,  assuming  the  existence  of  a  succinct  single -key  functional 
encryption  scheme  for  circuits  of  depth  d, 6  and  a  fully  homomorphic  encryption  scheme  for  circuits  of  depth 
d. 

Corollary  1.8.  Under  the  subexponential  LWE  assumption,  for  any  depth  d,  there  is  a  scheme  for  evaluating 
Turing  machines  on  encrypted  data  in  input-specific  time  for  any  class  of  d-depth-bounded  Turing  machines. 

1.1.4  Publicly  Verifiable  Delegation  with  Secrecy 

Recently,  Pamo,  Raykova  and  Vaikuntanathan  [PRV12]  showed  how  to  construct  a  2-message  delegation 
scheme  that  is  publicly  verifiable,  in  the  preprocessing  model,  from  any  attribute-based  encryption  scheme. 
This  reduction  can  be  combined  with  [GVW13]’s  ABE  scheme  to  achieve  such  a  delegation  scheme. 

However,  this  scheme  does  not  provide  secrecy  of  the  inputs:  the  prover  can  leam  the  inputs.  By  replacing 
the  ABE  scheme  in  the  construction  of  [PRV12]  with  our  new  functional  encryption  scheme,  we  add  secrecy 
to  the  scheme;  namely,  we  obtain  a  delegation  scheme  which  is  both  publicly  verifiable  as  in  [PRV 12]  (anyone 
can  verify  that  a  transcript  is  accepting  using  only  public  information)  and  secret  (the  prover  does  not  learn 
anything  about  the  input  of  the  function  being  delegated).7  More  specifically,  we  construct  a  2-message 
delegation  scheme  in  the  preprocessing  model  that  is  based  on  the  subexponential  LWE  assumption,  and  is 
for  general  depth-bounded  circuits,  where  the  verifier  works  in  time  that  depends  on  the  depth  of  the  circuit 
being  delegated,  but  is  independent  of  the  size  of  the  circuit,  and  the  prover  works  in  time  dependent  on  the 
size  of  the  circuit. 

1.2  Technique  Outline 

Our  functional  encryption  scheme.  We  first  describe  the  ideas  behind  our  main  technical  result:  a  reduction 
from  attribute-based  encryption  (ABE)  and  fully  homomorphic  encryption  (FHE)  to  functional  encryption 
(FE). 

6As  in  previous  applications,  we  need  to  assume  that  the  underlying  functional  encryption  scheme  is  fully  secure  (as  opposed  to 
only  selectively  secure). 

7We  note  that  secrecy  can  be  easily  obtained  by  using  an  FHE  scheme,  however,  this  destroys  public-verifiability. 
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Compute  on  encrypted  data  with  FHE.  A  natural  starting  point  is  FHE  because  it  enables  computation  on 
encrypted  data,  which  is  needed  with  functional  encryption.  Using  FHE,  the  FE  encryption  of  an  input  x 
consists  of  an  FHE  encryption  of  x,  denoted  x,  while  the  secret  key  for  a  function  /  is  simply  /  itself.  The 
semantic  security  of  FHE  provides  the  desired  security  (and  more)  because  nothing  leaks  about  x;  however, 
using  FHE  evaluation,  the  evaluator  obtains  an  encrypted  computation  result,  f(x),  instead  of  the  decrypted 
value  f(x).  Giving  the  evaluator  the  FHE  decryption  key  is  not  an  option  because  the  evaluator  can  use  it  to 
decrypt  x  as  well. 

Attempt  to  decrypt  using  a  Yao  garbled  circuit.  We  would  like  the  evaluator  to  decrypt  the  FHE  ciphertext 
f(x),  but  not  be  able  to  decrypt  anything  else.  An  idea  is  for  the  owner  to  give  the  evaluator  a  Yao  garbled 
circuit  for  the  FHE  decryption  function  FHE. Dec  with  the  FHE  secret  key  hsk  hardcoded  in  it,  namely  a 
garbled  circuit  for  FHE.Dechsk-  When  the  owner  garbles  FHE.Dechsk,  the  owner  also  obtains  a  set  of  garbled 
circuit  labels  {Ll0,  L\}i.  The  evaluator  must  only  receive  the  input  labels  corresponding  to  f(x ):  namely,  the 
labels  {Llb.}i  where  bt  is  the  i-th  bit  of  fix).  But  this  is  not  possible  because  the  owner  does  not  know  a 

priori  fix)  which  is  determined  only  after  the  FHE  evaluation;  furthermore,  after  providing  more  than  one 
set  of  labels  (which  happens  when  encrypting  another  input  x'),  the  security  of  the  garbled  circuit  (and  hence 
of  the  FHE  secret  key)  is  compromised.  One  idea  is  to  have  the  owner  and  the  evaluator  interact,  but  the 
syntax  of  functional  encryption  does  not  allow  interaction.  Therefore,  the  evaluator  needs  to  determine  the  set 
of  labels  corresponding  to  fix)  by  herself,  and  should  not  obtain  any  other  labels. 

Constraining  decryption  using  ABE.  It  turns  out  that  what  we  need  here  is  very  close  to  what  ABE 
provides.  Consider  the  following  variant  of  ABE  (called  ABE2)that  can  be  constructed  easily  from  a  standard 
ABE  scheme.  One  encrypts  a  value  y  together  with  two  messages  mo ,  m  ]  and  obtains  a  ciphertext  c  v— 
ABE2-Enc(y,  mo,  mi).  Then,  one  generates  a  key  for  a  predicate  g:  skf/  -t—  ABE2-KeyGen(y).  The  decryption 
algorithm  on  input  c  and  skg  outputs  mo  if  g{y)  =  0  or  outputs  rri\  if  g(y)  =  1. 

Now  consider  using  ABE2  multiple  times,  once  for  every  i  £  {1,  . . . ,  size  of  fix) }.  For  the  i-th 
invocation  of  ABE2.Enc,  let  mo,  mi  be  the  garbled  labels  Ll0,L\,  and  let  y  be  x:  ABE2-En c{x,  Ll0,  L\). 
Next,  for  the  i-th  invocation  of  ABE2.KeyGen,  let  g  be  FHE.  Eva  I)-  (the  predicate  returning  the  i-th  bit  of  the 
evaluation  of  /  on  an  input  ciphertext):  ABE2.KeyGen(FHE.Evaly).  Then,  the  evaluator  can  use  ABE2.Dec 

to  obtain  the  needed  label:  If.  where  bi  is  the  i-th  bit  of  fix).  Aimed  with  these  labels  and  the  garbled  circuit, 
the  evaluator  decrypts  f(x). 

The  security  of  the  ABE  scheme  ensures  the  evaluator  cannot  decrypt  any  other  labels,  so  the  evaluator 
cannot  learn  more  than  fix).  Finally,  note  that  the  one-time  aspect  of  garbled  circuits  does  not  restrict  the 
number  of  encryptions  with  our  FE  scheme  because  the  encryption  algorithm  generates  a  new  garbled  circuit 
every  time;  since  the  garbled  circuit  is  for  the  FHE  decryption  algorithm  (which  is  a  fixed  algorithm),  the  size 
of  the  ciphertexts  remains  independent  of  the  size  of  /. 

We  now  explain  how  to  use  this  result  to  obtain  the  aforementioned  applications. 

From  FE  to  reusable  garbled  circuits.  The  goal  of  garbled  circuits  is  to  hide  the  input  and  the  circuit  C. 
Our  succinct  single-key  FE  already  provides  a  reusable  garbling  scheme  with  input  privacy  (the  single  key 
corresponds  to  the  circuit  to  garble).  To  obtain  circuit  privacy,  the  insight  is  to  leverage  the  secrecy  of  the 
inputs  to  hide  the  circuit.  The  first  idea  that  comes  to  mind  is  to  generate  a  key  for  the  universal  circuit  instead 
of  C,  and  include  C  in  the  ciphertext  when  encrypting  an  input.  However,  this  approach  will  yield  large 
ciphertexts,  as  large  as  the  circuit  size. 

Instead,  the  insight  is  to  garble  C  by  using  a  semantically  secure  encryption  scheme  E.Enc  together  with 
our  FE  scheme:  the  garbling  of  C  will  be  an  FE  secret  key  for  a  circuit  U  that  contains  E.Encs|<(C');  on 
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input  (sk,  x),  U  uses  sk  to  decrypt  C  and  then  runs  C  on  the  input  x.  The  token  for  an  input  x  will  be  an  FE 
encryption  of  (sk,  x ).  Now,  even  if  the  FE  scheme  does  not  hide  E.Encs|<(C'),  the  security  of  the  encryption 
scheme  E  hides  C. 

Computing  on  encrypted  data  in  input-specific  time.  We  now  summarize  our  approach  to  evaluating  a 
Turing  machine  (TM)  M  homomorphically  over  encrypted  data  without  running  in  worst-case  time  on  all 
inputs.  Sec.  6  presents  the  scheme  formally. 

Our  idea  is  to  use  our  functional  encryption  scheme  to  enable  the  evaluator  to  determine  at  various 
intermediary  steps  in  the  evaluation  whether  the  computation  finished  or  not.  For  each  intermediary  step,  the 
client  provides  a  secret  key  for  a  function  that  returns  a  bit  indicating  whether  the  computation  finished  or  not. 
However,  if  the  client  provides  a  key  for  every  computation  step,  then  the  amount  of  keys  corresponds  to  the 
worst-case  running  time.  Thus,  instead,  we  choose  intermediary  points  spaced  at  exponentially  increasing 
intervals.  In  this  way,  the  client  generates  only  a  logarithmic  number  of  keys,  namely  for  functions  indicating 
if  the  computation  finishes  in  1,  2, 4, . . . ,  2*, . . . ,  2riogtma><l  steps,  where  tmax  is  the  worst-case  running  time 
of  M  on  all  inputs  of  a  certain  size. 

Because  of  the  single-key  aspect  of  our  FE  scheme,  the  client  cannot  provide  keys  for  an  arbitrary  number 
of  TMs  to  the  evaluator.  However,  this  does  not  mean  that  the  evaluator  can  run  only  an  a  priori  fixed 
number  of  TMs  on  the  encrypted  data.  The  reason  is  that  the  client  can  provide  keys  for  the  universal  TMs 
Uq,  ,  U\}r,g  /,maxi ,  where  TM  t/,  is  the  TM  that  on  input  a  TM  M  and  a  value  x,  runs  M  on  x  for  2*  steps 
and  outputs  whether  M  finished. 

Therefore,  in  an  offline  preprocessing  phase,  the  client  provides  1  +  \ log  tmax~|  keys  where  the  z-th  key  is 
for  a  circuit  corresponding  to  each  key  being  generated  with  a  different  master  secret  key.  The  work  of 
the  client  in  this  phase  is  at  least  f  max  which  is  costly,  but  this  work  happens  only  once  and  is  amortized  over 
all  subsequent  inputs  in  the  online  phase. 

In  an  online  phase,  the  client  receives  an  input  x  and  wants  the  evaluator  to  compute  M (x)  for  her.  The 
client  provides  FE  encryptions  of  (M,  x)  to  the  evaluator  together  with  an  FHE  ciphertext  (M,  x)  for  (M,  x) 
to  be  used  for  a  separate  FHE  evaluation.  The  evaluator  tries  each  key  sk^  from  the  preprocessing  phase  and 
learns  the  smallest  i  for  which  the  computation  of  M  on  x  stops  in  2*  steps.  The  evaluator  then  computes  a 
universal  circuit  of  size  0(2*)  and  evaluates  it  homomorphically  over  (M,  x),  obtaining  the  FHE  encryption 
of  M (x).  Thus,  we  can  see  that  the  evaluator  runs  in  time  polynomial  in  the  runtime  of  M  on  x. 

Publicly  Verifiable  Delegation  with  Secrecy.  Delegation  schemes  aim  to  enable  a  weak  verifier  to  delegate 
computation  of  a  function  /  on  an  input  x  to  a  prover  who  can  then  prove  to  the  verifier  that  he  computed  the 
function  correctly.  We  now  show  that  our  single-key  functional  encryption  scheme  provides  an  improvement 
to  publicly  verifiable  delegation  by  adding  secrecy.  We  present  this  improvement  only  informally,  because  we 
prefer  to  focus  on  the  other  applications. 

We  now  briefly  recall  the  scheme  of  [PRV12]  and  then  discuss  how  to  modify  it;  we  refer  the  reader 
to  Section  2.6  for  formal  definitions  of  ABE  and  FE.  There  are  two  phases  in  the  delegation  scheme:  the 
preprocessing  phase  when  the  verifier  prepares  the  computation  /,  and  an  online  phase  repeating  many  times, 
in  which  the  verifier  gives  x  to  the  prover  who  computes  f(x)  and  proves  the  computation  was  correct. 

In  the  preprocessing  phase,  the  verifier  generates  two  pairs  of  master  secret  and  public  keys  (mski,  mpkx) 
and  (msk2,  mpk2)  for  the  underlying  attribute-based  encryption  scheme.  If  /  is  the  function  to  delegate, 
the  verifier  uses  mski  to  generate  a  key  for  /  denoted  sky,  and  msk2  to  generate  a  key  for  the  negation  of 
/,  f(x)  :=  1  —  f(x),  denoted  sky.  The  verifier  then  sends  both  (mp^,  mpk2)  and  (sky,  sky)  to  the  prover. 
Generating  sky  and  sky  takes  time  that  is  proportional  to  the  size  of  the  circuit  computing  /,  and  thus  is  a 
costly  operation.  However,  this  is  done  only  once  in  the  preprocessing  phase. 

Whenever  the  verifier  wants  the  prover  to  compute  /  on  an  input  x,  he  chooses  two  random  messages 
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mi, m2  and  sends  the  prover  the  encryptions  of  (x,m*)  under  the  two  keys:  (Encfmpk , ,  x,  rn\ )  and 
Enc(mpk2,  x,  m2))-  The  properties  of  the  attribute-based  encryption  scheme  guarantees  that,  if  f(x)  =  1, 
the  prover  obtains  m\  using  sky  and  _L  using  sky  so  no  information  about  mo,  and  vice  versa  if  fix)  =  0. 
Therefore,  the  fact  that  the  prover  provides  mi  to  the  verifier  is  a  proof  that  f(x)  was  1. 

Importantly,  this  delegation  scheme  can  be  made  to  have  the  desired  property  of  being  publicly  verifiable, 
meaning  that  the  verifier  can  produce  a  “verification  key”  with  which  anyone  can  check  the  prover’s  work. 
This  is  done  by  having  the  verifier  also  send  two  point  function  obfuscations,  one  of  the  point  mi  and  the 
other  of  the  point  m2. 

This  reduction  from  ABE  to  publicly  verifiable  delegation  can  be  combined  with  the  recent  result 
of  [GVW13]  providing  ABE  schemes  for  any  depth  circuit:  the  result  is  a  publicly  verifiable  2-message 
delegation  scheme  in  the  preprocessing  model  for  any  depth  d  circuit  with  verifier’s  work  being  proportional 
to  the  depth  d  and  the  prover’s  work  proportional  to  the  circuit  size. 

Note  however,  that  this  scheme  is  not  secret  because  ABE  does  not  hide  the  input  x  from  the  prover.  It  is 
well  known  that  x  can  be  made  secret  by  encrypting  everything  using  a  fully  homomorphic  encryption  scheme. 
However,  this  comes  at  the  cost  of  losing  the  public  verifiability  property.  Our  idea  is  to  replace  the  ABE 
scheme  with  our  functional  encryption  scheme  in  the  protocol  above;  now  the  ciphertexts  Enc(mpk1,  x,  m\) 
and  Enc(mpk2,  x,  m2)  hide  x  and  the  scheme  provides  secrecy  because  the  prover  learns  nothing  about  x 
other  than  f(x).  The  public  verifiability  of  the  scheme  remains  the  same. 

We  remark  that  we  could  provide  a  stronger  version  of  secrecy  by  also  hiding  the  result  f(x)  from  the 
prover;  such  stronger  secrecy  is  non-standard  for  delegation,  so  we  do  not  delve  on  it.  (The  idea  is  for  the 
client  to  concatenate  a  random  bit  to  each  input  x  and  have  the  function  /  output  the  opposite  result  when  the 
bit  is  set.  In  this  way,  the  prover  does  not  learn  anything  from  seeing  which  ciphertext  decrypts  to  non-_L.) 

2  Preliminaries 
2.1  Notation 

Let  k  denote  the  security  parameter  throughout  this  paper.  For  a  distribution  V,  we  say  x  <—  V  when  x  is 
sampled  from  the  distribution  V.  If  S  is  a  finite  set,  by  x  -t—  S  we  mean  x  is  sampled  from  the  uniform 
distribution  over  the  set  S.  We  use  p(-)  to  denote  that  p  is  a  function  that  takes  one  input.  Similarly,  />(•,  •) 
denotes  a  function  p  that  takes  two  inputs. 

We  say  that  a  function  /  is  negligible  in  an  input  parameter  k,  if  for  all  d  >  0,  there  exists  I\  such  that 
for  all  k  >  K,  fin)  <  k~d.  For  brevity,  we  write:  for  all  sufficiently  large  k,  fin)  =  negl(«).  We  say 
that  a  function  /  is  polynomial  in  an  input  parameter  k,  if  there  exists  a  polynomial  p  such  that  for  all  k, 
/(«)  <  p(k).  We  write  f(n)  =  poly(«).  A  similar  definition  holds  for  polylog(/c). 

Let  [n]  denote  the  set  { 1 , . . . ,  n}  for  n  E  N* .  When  saying  that  a  Turing  machine  A  is  p.p.t.  we  mean 
that  A  is  a  non-uniform  probabilistic  polynomial-time  machine. 

In  this  paper,  we  only  work  with  arithmetic  circuits  over  GF(2).  These  circuits  have  two  types  of  gates:  + 
mod  2  and  x  mod  2.  Unless  the  context  specifies  otherwise,  we  consider  circuits  with  one  bit  of  output  (also 
called  boolean). 

Two  ensembles,  X  =  {2fK}Kgpj  and  Y  =  {YK}K(zfj,  are  said  to  be  computationally  indistinguishable 

Q 

(and  denoted  {2TK}Kgpj  ~  {y)-}Kg[j)  if  for  every  probabilistic  polynomial-time  algorithm  D, 

|  Pr [D(Xk,  1K)  =  1]  -  Pr [D(Yk,  1k)  =  1] |  =  negl(/e). 

In  our  security  definitions,  we  will  define  probabilistic  experiments  and  denote  by  random  variables  their 

11 


Approved  for  Public  Release;  Distribution  Unlimited. 

344 


outputs.  For  example,  Exp'ga{1(lK)  denotes  the  random  variable  representing  the  output  of  the  real  experiment 
for  scheme  E  with  adversary  A  on  security  parameter  k.  Moreover,  {Exp1a^(lK)}KeN  denotes  the  ensemble 
of  such  random  variables  indexed  by  re  E  N. 

2.2  Background  on  Learning  With  Errors  (LWE) 

The  security  of  our  results  will  be  based  on  the  Learning  with  Errors  (LWE)  assumption,  first  introduced 
by  Regev  [Reg05].  Regev  showed  that  solving  the  LWE  problem  on  average  is  (quantumly)  as  hard  as 
solving  the  approximate  version  of  several  standard  lattice  problems,  such  as  gapSVP  in  the  worst  case. 
Peikert  [Pei09]  later  removed  the  quantum  assumption  from  a  variant  of  this  reduction.  Given  this  connection, 
we  state  all  our  results  under  worst-case  lattice  assumptions,  and  in  particular,  under  (a  variant  of)  the  gapSVP 
assumption.  We  refer  the  reader  to  [Reg05,  Pei09]  for  details  about  the  worst-case/average-case  connection. 

The  best  known  algorithms  to  solve  these  lattice  problems  with  an  approximation  factor  2r  in  l- 
dimensional  lattices  run  in  time  2olf  '  ’  >  [AKS01,  MV10]  for  any  constant  0  <  e  <  1.  Specifically,  given  the 
current  state-of-the-art  on  lattice  algorithms,  it  is  quite  plausible  that  achieving  approximation  factors  f  for 
these  lattice  problems  is  hard  for  polynomial  time  algorithms. 

Appendix  A  provides  more  detailed  background  information  on  LWE. 

2.3  Fully  Homomorphic  Encryption  (FHE) 

The  notion  of  fully  homomorphic  encryption  was  first  proposed  by  Rivest,  Adleman  and  Dertouzos  [RAD78] 
in  1978.  The  first  fully  homomorphic  encryption  scheme  was  proposed  in  a  breakthrough  work  by  Gentry  in 
2009  [Gen09].  A  history  and  recent  developments  on  fully  homomorphic  encryption  is  surveyed  in  [ Vai  11]. 
We  recall  the  definitions  and  semantic  security  of  fully  homomoiphic  encryption;  the  definitions  below  are 
based  on  [Vai  11]  with  some  adaptations. 

Definition  2.1.  A  homomorphic  (public-key)  encryption  scheme  FHE  is  a  quadruple  of  polynomial  time 
algorithms  (FHE.KeyGen,  FHE.Enc,  FHE. Dec,  FHE.Eval)  as  follows: 

•  FHE.KeyGen(L')  is  a  probabilistic  algorithm  that  takes  as  input  the  security  parameter  L  and  outputs 
a  public  key  pk  and  a  secret  key  sk. 

•  FHE.Enc(pk,  x  E  {0, 1})  is  a  probabilistic  algorithm  that  takes  as  input  the  public  key  pk  and  an  input 
bit  x  and  outputs  a  ciphertext 

•  FHE.Dec(sk,  'if)  is  a  deterministic  algorithm  that  takes  as  input  the  secret  key  sk  and  a  ciphertext  f 
and  outputs  a  message  x*  E  {0,1}. 

•  FHE.Eval(pk,  C,  if ,  'ii>2-  •  •  • ,  fn)  is  a  deterministic  algorithm  that  takes  as  input  the  public  key  pk, 
some  circuit  C  that  takes  n  bits  as  input  and  outputs  one  bit,  as  well  as  n  ciphertexts  rtf , ,  'tj)n.  It 
outputs  a  ciphertext  fc- 

Compactness:  For  all  security  parameters  k,  there  exists  a  polynomial  p(-)  such  that  for  all  input  sizes  n,for 
all  X\  . . .  xn,for  all  C,  the  output  length  of  FHE.  Eva  I  is  at  most  p(n)  bits  long. 

Definition  2.2  (C-homomorphism).  Let  C  =  {Cn  }neN  a  class  of  boolean  circuits,  where  Cn  is  a  set  of 
boolean  circuits  taking  n  bits  as  input.  A  scheme  FHE  is  C -homomorphic  if  for  every  polynomial  nf),for 
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every  sufficiently  large  security  parameter  n,  for  every  circuit  C  E  Cn,  and  for  every  input  bit  sequence 
xi, . . . ,  xn,  where  n  =  n{n), 


Pr[(pk,  sk)  -t—  FHE.KeyGen(lK); 

-t—  FHE.Enc(pk,  Xi)for  i  =  1 . . .  n; 
f  <—  FFIE.Eval(pk,  C,  ipi,  ...,ipn): 

FFIE.Dec(sk,  i/j)  f  C(x i, . . .  xn)\  =  negl(K). 

where  the  probability  is  over  the  coin  tosses  q/THE.KeyGen  and  FFIE.Enc. 

Definition  2.3  (Fully  homomorphic  encryption).  A  scheme  FHE  is  filly  homomorphic  if  it  is  homomorphic 
for  the  class  of  all  arithmetic  circuits  over  GF(2). 

Definition  2.4  (Leveled  fully  homomorphic  encryption).  A  leveled  fully  homomorphic  encryption  scheme 
is  a  homomorphic  scheme  where  FFIE.KeyGen  receives  an  additional  input  ld  and  the  resulting  scheme  is 
homomorphic  for  all  depth-d  arithmetic  circuits  over  GF(2). 

Definition  2.5  (IND-CPA  security).  A  scheme  FHE  A IND-CPA  secure  if  for  any  p.p.t.  adversary  A, 

|  Pr[(pk,  sk)  <-  FHE.KeyGen(lK)  :  A{ pk,  FHE.Enc(pk,  0))  =  1]- 
Pr[(pk,  sk)  FHE.KeyGen(lK)  :  A{ pk,  FHE.Enc(pk,  1))  =  1] |  =  negl(rc). 

We  now  state  the  result  of  Brakerski,  Gentry  and  Vaikuntanathan  [BGV12]  that  shows  a  leveled  fully 
homomorphic  encryption  scheme  based  on  the  LWE  assumption: 

Theorem  2.1  ([BVlla,  BGV12]).  Assume  that  there  is  a  constant  0  <  e  <  1  such  that  for  every  sufficiently 
large  t,  the  approximate  shortest  vector  problem  gapSVP  in  l  dimensions  is  hard  to  approximate  to  within 
a  1  factor  in  the  worst  case.  Then,  for  every  n  and  every  polynomial  d  =  d(n),  there  is  an  IND-CPA 
secure  d-leveled  fully  homomorphic  encryption  scheme  where  encrypting  n  bits  produces  ciphertexts  of  length 
poly(n,  k,  d1^),  the  size  of  the  circuit  for  homomorphic  evaluation  of a  function  f  is  size(Cy)-poly(?r,  k,  d1^) 
and  its  depth  A  depth  (C/)  •  poly  (log  n,  log  d). 

All  known  fully  homomoiphic  encryption  schemes  (as  opposed  to  merely  leveled  schemes)  require  an 
additional  assumption  related  to  circular  security  of  the  associated  encryption  schemes.  Flowever,  we  do 
not  need  to  make  such  an  assumption  in  this  work  because  we  only  use  a  leveled  homomoiphic  encryption 
scheme  in  our  constructions. 

2.4  Background  on  Garbled  Circuits 

We  will  now  define  garbled  circuits.  Initially,  garbled  circuits  were  presented  by  Yao  [Yao82]  in  the  context 
of  secure  two-party  computation  and  later,  they  were  then  proven  secure  by  Lindell  and  Pinkas  [LP09].  Very 
recently,  the  notion  has  been  formalized  by  Bellare  et  al.  [BHR12].  For  simplicity,  we  present  more  concise 
definitions  of  garbled  circuits  than  in  [BHR12]. 

Definition  2.6  (Garbling  scheme).  A  garbling  scheme  for  a  family  of  circuits  C  =  {Cn  }  ner  i  with  Cn  a  set 
of  boolean  circuits  taking  as  input  n  bits,  is  a  tuple  of  p.p.t.  algorithms  Gb  =  (Gb. Garble,  Gb.Enc,  Gb.Eval) 
such  that 
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•  Gb.Garble(lK,  C)  takes  as  input  the  security  parameter  k  and  a  circuit  C  E  Cnfor  some  n,  and  outputs 
the  garbled  circuit  F  and  a  secret  key  sk. 

•  Gb.Enc(sk,  x)  takes  as  input  x  E  {0, 1}*  and  outputs  an  encoding  c. 

•  Gb.Eval(r,  c)  takes  as  input  a  garbled  circuit  F,  an  encoding  c  and  outputs  a  value  y  which  should  be 
C(x). 

Correctness.  For  any  polynomial  n(-),  for  all  sufficiently  large  security  parameters  k,  for  n  =  n(n),  for 
all  circuits  C  E  Cn  and  all  x  E  {0,  l}n, 

Pr[(r,  sk)  E-  Gb.Garble(lK,  C);  c  E-  Gb.Enc(sk,  x );  y  E-  Gb.Eval(r,  c)  :  C(x)  =  y]  =  1  —  negl(fv). 

Efficiency.  There  exists  a  universal  polynomial  p  =  pin.  n)  (p  is  the  same  for  all  classes  of  circuits  C ) 
such  that  for  all  input  sizes  n,  security  parameters  n,  for  all  boolean  circuits  C  of  with  n  bits  of  input,  for  all 
x  E  {0,  l}n, 

Pr[(r,sk)  E-  Gb.Garble(lK,  C)  :  |sk|  <p(n,n )  and  runtime ( Gb.Enc(sk,  x))  <p(n,n)]  =  1. 

Note  that  since  Gb.Enc  is  a  p.p.t.  algorithm,  it  suffices  to  ensure  that  |sk|  <  p(n ,  n)  and  obtain  that 
Gb. Eric’s  runtime  is  also  at  most  a  polynomial.  We  prefer  to  keep  the  runtime  of  Gb.Enc  in  the  definition  as 
well  for  clarity. 

Remark  2.2  (Remark  on  the  efficiency  property).  Intuitively,  a  garbling  scheme  is  efficient  if  the  time  to 
encode  is  shorter  than  the  time  to  run  the  circuit.  This  requirement  can  be  formalized  in  a  few  ways.  A  first 
definition  is  as  provided  above  in  Defi  2.6.  Another  definition  is  to  allow  |sk|  and  the  runtime  of  Gb.Enc  to 
also  depend  on  the  depth  of  the  circuits  in  C,  but  require  that  it  does  not  depend  on  their  size. 

Yao  garbled  circuits.  The  garbled  circuits  presented  by  Yao  have  a  specific  property  of  the  encoding  scheme 
that  is  useful  in  various  secure  function  evaluation  protocols  and  in  our  construction  as  well.  The  secret  key  is 
of  the  form  sk  =  { if- ,  Lj}™=1  and  the  encoding  of  an  input  x  of  n  bits  is  of  the  form  c  =  (Iff  , . . . ,  Lfn ) , 
where  Xi  is  the  z-th  bit  of  x. 

Two  security  guarantees  are  of  interest:  input  privacy  (the  input  to  the  garbled  circuit  does  not  leak  to  the 
adversary),  and  circuit  privacy  (the  circuit  does  not  leak  to  the  adversary).  All  these  properties  hold  only  for 
one-time  evaluation  of  the  circuit:  the  adversary  can  receive  at  most  one  encoding  of  an  input  to  use  with  a 
garbled  circuit;  obtaining  more  than  one  encoding  breaks  these  security  guarantees. 

Bellare  et  al.  [BHR12]  also  present  a  third  property  which  they  call  authenticity;  informally,  this  requires 
that  an  adversary  should  not  be  able  to  come  up  with  a  different  result  of  the  garbled  circuit  that  could  be 
“de-garbled”  into  a  valid  value.  We  do  not  present  this  property  here  because  it  is  straightforward  to  show 
that  a  garbling  scheme  with  input  and  circuit  privacy  as  we  define  them  below  implies  a  different  garbling 
scheme  with  the  authenticity  property  and  we  would  need  to  provide  a  slightly  more  complicated  syntax  for 
the  definition  of  garbled  circuits  (with  an  additional  “de-garbling”  algorithm). 

We  now  present  the  one-time  security  of  garbling  circuits.  The  security  definition  for  reusable  garbled 
will  be  presented  later,  in  Sec.  4. 

Definition  2.7  (Input  and  circuit  privacy).  A  garbling  scheme  Gb  for  a  family  of  circuits  {Cn}neN  is  input 
and  circuit  private  if  there  exists  a  p.p.t.  simulator  Simcarble.  such  that  for  every  p.p.t.  adversaries  A  and  D, 
for  all  sufficiently  large  security  parameters  k, 


14 


Approved  for  Public  Release;  Distribution  Unlimited. 

347 


Pr[(x,  C,  a)  <—  A(1K);  (T,  sk)  -t—  Gb.Garble(lK,  C);  c  A-  Gb.Enc(sk,  x)  :  D(a,  x,  C,  T,  c)  =  1]  — 

Pr[(x,  C,  a)  A-  A(  1K);  (f,c)  A-  SimGarb|e(lK,  C(x),  l|c|,  l|a:|)  :  D(a,x,C,T,c)  =  1]|  =  negl(/«) 


where  we  consider  only  A  such  that  for  some  n,  x  £  {0,  l}n  and  C  £  Cn. 

Intuitively,  this  definition  says  that,  for  any  circuit  or  input  chosen  adversarially,  one  can  simulate  in 
polynomial  time  the  garbled  circuit  and  the  encoding  solely  based  on  the  computation  result  (and  relevant 
sizes).  The  variable  a  represents  any  state  that  A  may  want  to  convey  to  D. 

A  few  variants  of  Yao  garbling  schemes  exist  (for  example,  [BHR12])  that  provide  both  input  and  circuit 
privacy  under  the  basic  one-way  function  assumption.  Any  such  construction  is  suitable  for  our  scheme. 

Theorem  2.3  ([Yao82,  LP09]).  Assuming  one-way  functions  exist,  there  exists  a  Yao  ( one-time )  garbling 
scheme  that  is  input-  and  circuit-private  for  all  circuits  over  GF(2). 


2.5  Attribute-Based  Encryption  (ABE) 

We  now  provide  the  definition  of  attribute -based  encryption  from  the  literature  (e.g.,  [GPSW06,  LOS+10, 
GVW13]). 

Definition  2.8  (Attribute-Based  Encryption).  An  attribute-based  encryption  scheme  (ABE )  for  a  class  of 
predicates  V  =  {Pn}neN  represented  as  boolean  circuits  with  n  input  bits  and  one  output  bit  and  an 
associated  message  space  A4  is  a  tuple  of  algorithms  (ABE. Setup,  ABE.KeyGen,  ABE.Enc,  ABE.  Dec)  as 
follows: 


•  ABE. Setup!  I'1);  Takes  as  input  a  security  parameter  1K  and  outputs  a  public  master  key  fmpk  and  a 
master  secret  key  f  msk. 

•  ABE.KeyGen(fmsk,  P):  Given  a  master  secret  key  fmsk  and  a  predicate  P  £  Vn,  for  some  n,  outputs 
a  key  fskp  corresponding  to  P. 

•  ABE.Enc(fmpk,  x,  M):  Takes  as  input  the  public  key  fmpk,  an  attribute  x  £  {0,  l}n,/or  some  n,  and 
a  message  M  £  A4  and  outputs  a  ciphertext  c. 

•  ABE.Dec(fskp,  c):  Takes  as  input  a  secret  key  for  a  predicate  and  a  ciphertext  and  outputs  M*  £  AT 


Correctness.  For  any  polynomial  n(-),  for  every  sufficiently  large  security  parameter  k,  if  n  =  n(n),  for  all 
predicates  P  £  Vn,  attributes  x  £  {0,  l}n,  and  messages  M  £  AT' 


Pr 


(fmpk,  fmsk)  ABE.Setup(lK); 
fskp  -t—  ABE.KeyGen(fmsk,  P); 
c  •<—  ABE.Enc(fmpk,  x ,  M)  : 


ABE.Dec(fskp,  c) 


M,  if  P(x)  =  1, 
_L,  otherwise. 


1  —  negl(«;). 


The  space  {0, 1}™  is  referred  to  as  the  attribute  space  (with  an  attribute  size  of  n)  and  A1  is  referred  to  as 
the  message  space. 

Intuitively,  the  security  of  ABE  is  that  M  is  revealed  only  if  P(x)  =  1.  Regarding  the  attribute  x,  ABE’s 
security  does  not  require  any  secrecy  of  the  attribute,  so  x  may  leak  no  matter  what  is  the  value  of  P(x). 
Many  ABE  schemes  have  been  proven  secure  under  indistinguishability-based  definitions.  Despite  being 
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weaker  than  simulation-based  definitions,  such  definitions  suffice  for  the  security  of  our  construction,  so 
we  present  them  here.  Two  notions  of  security  have  been  used  in  previous  work:  full  and  selective  security. 
Full  security  allows  the  adversary  to  provide  the  challenge  ciphertext  after  seeing  the  public  key,  whereas 
in  selective  security,  the  adversary  must  provide  the  challenge  ciphertext  before  seeing  the  public  key.  We 
present  both  in  the  full  security  and  selective  security  cases,  because  the  ABE  primitive  we  use  [GVW13] 
achieves  them  with  different  parameters  of  the  gapSVP  assumption.  We  only  provide  the  security  definition 
for  the  case  when  the  adversary  can  ask  for  a  single  key  because  this  is  all  we  need  for  our  results. 

Definition  2.9  (Attribute -based  encryption  security).  Let  ABE  be  an  attribute-based  encryption  scheme  for 
a  class  of  predicates  V  =  {'Pn}neN»  and an  associated  message  space  JA,  and  let  A  =  (A  \ .  A2,  A3)  be  a 
triple  ofp.p.t.  adversaries.  Consider  the  following  experiment. 


ExPabe(1k): 


1:  (fmpk,  fmsk)  ABE.Setup(lK) 

2:  (P,  stater)  <—  Ai(fmpk) 

3:  fskp  <—  ABE.KeyGen(fmsk,  P) 

4:  (Mo,Mi,x,state2)  Ao(statei, fskp) 

5:  Choose  a  bit  b  at  random  and  let  c  t—  ABE.Enc(fmpk,  x,  Mf). 

6:  b'  4—  A.3(state2,  c).  If  | Mo |  =  |Mi|,  P(x)  =  0,  and  b  =  b',  output  1,  else  output  0. 


We  say  that  the  scheme  is  a  single-key  fully-secure  attribute-based  encryption  if  for  all  p.p.t.  adversaries 
A,  and  for  all  sufficiently  large  n: 


Pr[ExpABEA(fK)  =  1]  <  1/2  +  negl(«). 

We  say  that  the  scheme  is  single-key  selectively  secure  if  the  same  statement  holds  for  a  slightly  modified 
game  in  which  A  provides  x  before  receiving  fmpk. 

Attribute -based  encryption  schemes  have  been  constructed  for  the  class  of  Boolean  formulas  [GPSW06, 
LOS+10]  and  most  recently  for  the  class  of  all  polynomial-size  circuits:  Gorbunov,  Vaikuntanathan  and 
Wee  [GVW13]  based  on  the  subexponential  Learning  With  Errors  (LWE)  intractability  assumption,  and  Sahai 
and  Waters  [SW12]  based  on  the  k-Multilinear  Decisional  Diffie-Hellman  (see  [SW12]  for  more  details).  Our 
reduction  can  start  from  any  of  these  schemes,  but  in  this  paper,  we  choose  [GVW13]  because  it  is  based  on 
LWE,  which  is  a  more  standard  assumption  and  is  also  the  assumption  for  our  other  building  block,  FHE. 

Before  we  state  the  results  of  Gorbunov,  Vaikuntanathan  and  Wee  [GVW13],  we  will  set  up  some  notation. 
Let  d  and  p  be  two  univariate  polynomials.  Define  Cn)d(rawn)  to  be  the  class  of  all  boolean  circuits  on  n 
inputs  of  depth  at  most  d(n)  and  size  at  most  p(n).  Let  Cn><j(n)  :=  UPoiynommiP  ^n,d{n),p{n)-  An  attribute-based 
encryption  or  functional  encryption  scheme  that  supports  circuits  in  Cn  is  called  a  d- leveled  attribute- 
based  encryption  or  functional  encryption  scheme,  respectively.  We  also  refer  to  an  ABE  or  FE  scheme  as 
leveled,  if  it  is  d-leveled  for  some  d.  We  are  now  ready  to  state  the  theorem  of  [GVW13]. 

Theorem  2.4  ([GVW13]).  Assume  that  there  is  a  constant  0  <  e  <  1  such  that  for  every  sufficiently  large  t, 
the  approximate  shortest  vector  problem  gapSVP  in  i  dimensions  is  hard  to  approximate  by  a  polynomial 
algorithm  to  within  a  2°PC)  factor  in  the  worst  case.  Then,  for  every  n  and  every  polynomial  d  =  d(n), 
there  is  a  selectively  secure  d- leveled  attribute-based  encryption  scheme  where  encrypting  n  bits  produces 
ciphertexts  of  length  poly(?r,  k,  d1//<E). 
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Furthermore,  assuming  that  gapSVP  in  £  dimensions  is  hard  to  approximate  to  within  a  !  factor  in 
time  2°^c\  the  scheme  is  fully  secure  with  ciphertexts  of  length  poly(n,  k,  d1^  ). 

In  either  case,  the  scheme  is  secure  with  polynomially  many  secret-key  queries. 


2.5.1  Two-Outcome  Attribute-Based  Encryption 

We  use  an  attribute-based  encryption  scheme  with  a  slightly  modified  definition.  The  setup  and  key  generation 
algorithms  are  the  same  as  in  previous  schemes.  The  difference  is  in  the  encryption  and  decryption  algorithms: 
instead  of  encrypting  one  message  M  in  one  ciphertext,  we  encrypt  two  messages  Mq  and  M\  in  the  same 
ciphertext  such  that  Mq  is  revealed  if  the  predicate  evaluates  to  zero  on  the  attribute,  and  M\  is  revealed  if 
the  predicate  evaluates  to  one.  Since  there  are  two  possible  outcomes  of  the  decryption  algorithm,  we  call  the 
modified  scheme  a  two-outcome  attribute-based  encryption  scheme.  Such  a  variant  of  ABE  has  been  used  for 
other  purposes  by  [PRV12]. 

Definition  2.10  (Two  -Outcome  Attribute-Based  Encryption).  A  two-outcome  attribute-based  encryption 
scheme  f  ABE2)  for  a  class  of  predicates  V  =  {Vn  }n&]  represented  as  boolean  circuits  with  n  input  bits, 
and  a  message  space  A4  is  a  tuple  of  algorithms  (ABE2. Setup,  ABE2.KeyGen,  ABE2-Enc,  ABE2-Dec)  as 
follows: 


•  ABE2.Setup(lK):  Takes  as  input  a  security  parameter  1 K  and  outputs  a  public  master  key  fmpk  and  a 
master  secret  key  f  msk. 

•  ABE2-KeyGen(fmsk,  P):  Given  a  master  secret  key  fmsk  and  a  predicate  P  £  V,  outputs  a  key  fsk /> 
corresponding  to  P. 

•  ABE2-Enc(fmpk,  x,  Mq,  Mf):  Takes  as  input  the  public  key  fmpk,  an  attribute  x  £  {0,1  }n,  for  some 
n,  and  two  messages  Mq  ,  M\  £  A4  and  outputs  a  ciphertext  c. 

•  ABE2-Dec(fskp,  c):  Takes  as  input  a  secret  key  for  a  predicate  and  a  ciphertext  and  outputs  M*  £  A4. 


Correctness.  For  any  polynomial  u(-),  for  every  sufficiently  large  security  parameter  k,  if  n  =  n(n),  for  all 
predicates  P  £  Vn,  attributes  x  £  {0,  l}n,  messages  Mq,  M\  £  M: 


Pr 


(fmpk, fmsk)  <—  ABE2.Setup(lK); 
fskp  <—  ABE2-KeyGen(fmsk,  P); 
c  ■£-  ABE2-Enc(fmpk,  x,  Mq,  Mi); 
M*  <-  ABE2.Dec(fskp, c)  : 

M*  =  Mp(j.) 


1  —  negl(K). 


We  now  define  the  security  for  single -key  two-outcome  attribute-based  encryption.  Intuitively,  the  security 
definition  requires  that,  using  a  token  for  a  predicate  P,  an  adversary  can  decrypt  one  of  the  two  messages 
encrypted  in  C  based  on  the  evaluation  of  P  on  the  attribute,  but  does  not  learn  anything  about  the  other 
message. 


Definition  2.11  (Two-outcome  attribute-based  encryption  security).  Let  ABE2  be  a  tw’o-outcome  attribute- 
based  encryption  scheme  for  the  class  of  predicates  V  =  \  Vn  }rteH  and  associated  message  space  M  and  let 
A  =  (A\ ,  A'2,  A3)  be  a  triple  ofp.p.t.  adversaries.  Consider  the  following  experiment. 
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ExPabe2(1k): 


1:  (fmpk,  fmsk)  •<— ABE2-Setup(lK) 

2:  (P,  statei)  «—  Ai(fmpk) 

3:  skp  -t—  ABE2.KeyGen(fmsk,  P) 

4:  (M,  Mq,Mi,x,  state2)  «—  A2 (statei,  skp) 
5:  Choose  a  bit  b  at  random.  Then,  let 


c  = 


ABE2-Enc(fmpk,  x,  M,  M f), 
ABE2-Enc(fmpk,  x,  M), 


if  P{x )  =  0, 
otherwise. 


6:  b'  <r-  ^(stateo,  c).  lfb  =  b',3n  such  that,  for  all  P  G  Vn,  messages  M,  Mo,  Mi  G  Ml,  |Mo|  =  |Mi|, 
x  G  {0,  l}n,  output  1,  else  output  0. 


We  say  that  the  scheme  is  a  fully-secure  single-key  two-outcome  ABE  if  for  all  p.p.t.  adversaries  A,  and 
for  all  sufficiently  large  security  parameters  k: 

PrfExpABE^n  =  1]  <  1/2  +  negl(p). 

The  scheme  is  single-key  selectively  secure  if  A  needs  to  provide  x  before  receiving  fmpk. 

As  before,  we  need  only  a  single-key  ABE2  scheme  for  our  construction. 

A  class  of  predicates  {Vr L}n  is  closed  under  negation  if  for  all  input  sizes  n  and  for  all  predicates  p  G  Vn, 
we  have  p  G  Vn\  p  is  the  negation  of  p,  namely  p(y)  =  1  —  p(y)  for  all  y. 

Claim  2.5.  Assuming  there  is  an  ABE  scheme  for  a  class  of  predicates  closed  under  negation,  there  exists  a 
two-outcome  ABE  scheme  for  the  same  class  of  predicates. 

The  proof  of  this  claim  is  immediate  and  we  present  it  in  Appendix  B,  for  completeness. 

2.6  Functional  Encryption  (FE) 

We  recall  the  functional  encryption  definition  from  the  literature  [KSW08,  BSW,  GVW12]  with  some 
notational  changes. 

Definition  2.12  (Functional  Encryption).  Afunctional  encryption  scheme  FE  for  a  class  of  functions  T  = 
{Pn  }neH  represented  as  boolean  circuits  with  an  n-bit  input,  is  a  tuple  of  four  p.p.t.  algorithms  (FE. Setup, 
FE.KeyGen,  FE.Enc,  FE.Dec)  such  that: 

•  FE. Setup)  1 '')  takes  as  input  the  security  parameter  1K  and  outputs  a  master  public  key  fmpk  and  a 
master  secret  key  f  msk. 

•  FE.KeyGen(fmsk,  /)  takes  as  input  the  master  secret  key  fmsk  and  a  function  f  G  T  and  outputs  a 
key  fsky. 

•  FE.Enc(fmpk,  x)  takes  as  input  the  master  public  key  fmpk  and  an  input  x  G  {0, 1}*  and  outputs  a 
ciphertext  c. 

•  FE.Dec(fsky,  c)  takes  as  input  a  key  f sk  f  and  a  ciphertext  c  and  outputs  a  value  y. 
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Correctness.  For  any  polynomial  n(-),  for  every  sufficiently  large  security  parameter  k,  for  n  =  n(n),  for  all 
f  E  Fn,  and  all  x  E  {0,  l}n, 

Pr[(fmpk,  fmsk)  4—  FE.Setup(lK);  fsky  4—  FE.KeyGen(fmsk,  /);  c  4—  FE.Enc(fmpk,  x)  : 
FE.Dec(fsky,  c)  =  f(x)]  =  1  —  negl(/c). 

2.6.1  Security  of  Functional  Encryption 

Intuitively,  the  security  of  functional  encryption  requires  that  an  adversary  should  not  learn  anything  about 
the  input  x  other  than  the  computation  result  C(x),  for  some  circuit  C  for  which  a  key  was  issued  (the 
adversary  can  learn  the  circuit  C).  As  mentioned,  two  notions  of  security  have  been  used  in  previous  work: 
full  and  selective  security,  with  the  same  meaning  as  for  ABE.  We  present  both  definitions  because  we  achieve 
them  with  different  parameters  of  the  gapSVP  assumption.  Our  definitions  are  simulation-based:  the  security 
definition  states  that  whatever  information  an  adversary  is  able  to  learn  from  the  ciphertext  and  the  function 
keys  can  be  simulated  given  only  the  function  keys  and  the  output  of  the  function  on  the  inputs. 

Definition  2.13.  (FULL-SI  M-Security  )  Let  FE  be  afunctional  encryption  scheme  for  the  family  of  functions 
F  =  {Fn)n(i\i.  For  every  p.p.t.  adversary  A  =  (A  1 ,  Af)  and  p.p.t.  simulator  S,  consider  the  following  two 
experiments: 


1:  (fmpk, fmsk)  4—  FE.Setup(lK) 
2:  (/,  states)  E-  A1  (fmpk) 

3:  fsk f  4—  FE.KeyGen(fmsk,  /) 

4:  (x,  state^)  A2(stateA,  fskj) 


5:  c  4—  FE.Enc(fmpk,  x) 
6:  Output  (stated ,  c) 


5:  CE  ^(fmpkjsk/,/, /(x),llxl) 
6:  Output  ( stated ,  c) 


The  scheme  is  said  to  be  (single-key)  FULL-SIM—  secure  if  there  exists  a  p.p.t.  simulator  S  such  that 
for  all  pairs  of  p.p.t.  adversaries  (Ai^f),  the  outcomes  of  the  two  experiments  are  computationally 
indistinguishable: 

WE3iA(n)  «  |exPp|^45(ik)1  . 

I  )  kSN  l  >  kGN 

We  now  define  selective  security,  which  is  a  weakening  of  full  security,  by  requiring  the  adversary  to 
provide  the  challenge  input  x  before  seeing  the  public  key  or  any  other  information  besides  the  security 
parameter.  We  simply  specify  the  difference  from  full  security. 

Definition  2.14  (SEL-SI  M-Security).  The  same  as  Def.  2.13,  but  modify  the  game  so  that  the  first  step 
consists  of  A  specifying  the  challenge  input  x  given  only  the  security  parameter. 

It  is  easy  to  see  that  the  full  simulation  definition  (FULL-SIM-security)  implies  the  selective  definition 
(SEL-SI  M-security). 

The  literature  [BSW,  AGVW12]  has  considered  another  classification  for  simulation-based  definitions: 
adaptive  versus  non-adaptive  security.  In  the  adaptive  case,  the  adversary  is  allowed  to  ask  for  a  function 
/  after  seeing  the  ciphertext  c  for  an  input  x.  In  the  non-adaptive  case,  the  adversary  must  first  provide  / 
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and  only  then  ask  for  encryptions  of  inputs  x.  Our  definition  falls  in  the  non-adaptive  category.  Boneh  et 
al.  [BSW]  have  shown  that  adaptive  simulation-based  security  is  unachievable  even  for  single-key  functional 
encryption  for  the  simple  functionality  of  identity-based  encryption.  As  such,  the  adaptive  definition  appears 
too  strong  and  is  unachievable  for  general  functionalities,  so  we  use  non-adaptive  security. 

Remark  2.6.  Attribute-based  encryption  can  be  viewed  as  functional  encryption  for  a  specific  class  of 
functionalities,  where  the  additional  information  leaked  is  part  of  the  output  to  the  function.  Namely,  consider 
a  class  of  functions  T  whose  plaintext  space  consists  of  pairs  of  values  from  {0,  l}n  x  Ai,  where  {0,  l}n 
is  the  attribute  space  (with  an  attribute  size  ofn)  and  M  is  the  message  space.  The  class  of  functions  for 
ABE  is  more  specific:  there  exists  an  associated  predicate  class  V  =  {Vn}n&]  to  T  such  that  for  every  n,  for 
every  f  E  Tn,  there  is  an  associated  predicate  P  E  Vn  to  f  such  that 


f(x,  M) 


(x,M),  ifP(x)  =  1, 
(x,  _L),  otherwise. 


Since  the  attribute  x  is  in  the  output  of  the  function  no  matter  what  P  is,  x  leaks  from  the  scheme  no  matter 
what  (x  is  public).  Therefore,  this  functionality  leads  to  weaker  security  guarantees  than  functional  encryption 
in  a  conceptual  way:  the  value  to  be  computed  on,  x,  leaks  with  ABE  (whereas  the  value  M  on  which  P  does 
not  compute  remains  secret  when  P ( x )  =  0),  whereas  the  input  x  to  the  computation  is  hidden  with  FE. 


3  Our  Functional  Encryption  Scheme 

In  this  section,  we  present  our  main  result:  the  construction  of  a  functional  encryption  scheme  FE.  We  refer 
the  reader  to  the  introduction  (Sec.  1.2)  for  an  overview  of  our  approach,  and  we  proceed  directly  with  the 
construction  here. 

We  use  three  building  blocks  in  our  construction:  a  (leveled)  fully  homomorphic  encryption  scheme  FFIE, 
a  (leveled)  two-outcome  attribute-based  encryption  scheme  ABE2,  and  a  Yao  garbling  scheme  Gb. 

We  let  FHE.Eval /(hpk.  fi)  denote  the  circuit  that  performs  homomorphic  evaluation  of  the  function  / 
on  the  vector  of  ciphertexts  fi  :=  (^1,  •  •  • ,  fin)  using  the  public  key  hpk,  and  we  will  let  FHE.Eval/(hpk,  fi) 
denote  the  predicate  that  computes  the  i-th  output  bit  of  FFIE.Eval /(hpk,  fi).  Namely, 

FHE.Eval/- (hpk,  fi)  =  ^FHE.Eval /(hpk,  fi),  .  .  .  ,  FHE.Eval/ (hpk,  fi )^j  , 

where  A  =  \(n)  =  |  FH E. Eva ly- (hpk,  -?/;)  | .  Our  main  theorem  then  says: 

Theorem  3.1.  There  is  a  (fully/selectively  secure )  single-key  functional  encryption  scheme  FE  = 
(FE. Setup,  FE.KeyGen,  FE.Enc,  FE.  Dec)  for  any  class  of  circuits  C  that  take  n  bits  of  input  and  produce  a 
one-bit  output,  assuming  the  existence  of  the  following  primitives: 

•  an  IND-CPA-secure  C-homomorphic  encryption  scheme  FHE  =  (FHE.KeyGen,  FHE.Enc,  FHE.Eval, 
FHE. Dec); 

•  a  (fully/selectively  secure )  single-key  attribute-based  encryption  scheme  ABE  =  (ABE. Setup, 
ABE.KeyGen,  ABE.Enc,  ABE.Dec)/or  the  class  of  predicates  V  =  Vq.  fhe  where 

Pc, FHE  =  {FHE.Eval^.,  1  —  FHE.Eval^  :  C  E  C  and  i  E  {1, . . . ,  A}};  and 


20 


Approved  for  Public  Release;  Distribution  Unlimited. 

353 


•  a  Yao  garbling  scheme  Gb  =  (Gb. Garble,  Gb.Enc,  Gb.Eval)  that  is  input-  and  circuit-private. 

The  succinctness  property  of  the  functional  encryption  scheme  is  summarized  as  follows:  the  size  of  the 
ciphertexts  ctsizeEE(n)  in  the  resulting  scheme  for  n  bits  of  input  is 

2  •  ctsizepHE  '  [ctsizeABE^  •  ctsizeEHE  +  pksizeFHE)]  +  poly(/c,  ctsizepnE)  sksizeEHE)- 

where  ctsize/\BE(&)  denotes  the  size  of  the  ciphertexts  in  the  attribute-based  encryption  scheme  for  a  k-bit 
attribute  and  a  poly  (n)-bit  message,  ctsizepHE  denotes  the  size  of  the  ciphertexts  in  the  fully  homomorphic 
encryption  scheme  for  a  single-bit  message  and  pksizeFHE  (resp.  sksizepHE)  denotes  the  size  of  the  public  key 
(resp.  secret  key)  in  the  fully  homomorphic  encryption  scheme. 

Since  garbling  schemes  can  be  constructed  from  one-way  functions,  our  theorem  says  that  we  can  move 
from  attribute-based  encryption,  in  which  the  part  of  the  input  that  the  function  computes  on  leaks,  to  a 
functional  encryption  scheme,  in  which  no  part  of  the  input  leaks  using  fully  homomoiphic  encryption  and 
Yao  garbled  circuits. 

We  can  see  that  if  the  ciphertext  size  in  the  ABE  scheme  and  the  fully  homomoiphic  encryption  scheme 
does  not  depend  on  the  circuit  size  (and  thus,  those  schemes  are  by  themselves  succinct),  then  neither  will  the 
resulting  ciphertexts  of  the  FE  scheme  depend  on  the  circuit  size;  namely,  the  reduction  does  not  blow  up  the 
ciphertexts  and  is  “succinctness-preserving”.  We  know  of  both  a  leveled  FHE  scheme  and  a  leveled  ABE 
scheme  ([GVW13])  with  ciphertext  lengths  independent  of  the  size  of  the  circuits  to  evaluate;  the  ciphertext 
size  in  these  schemes  just  depends  on  the  depth  of  the  circuits. 

We  note  that  fully  homomorphic  encryption  schemes  with  succinct  ciphertexts  that  are  also  independent 
of  depth  are  known,  albeit  under  the  stronger  assumption  of  circular  security  of  the  underlying  schemes.  Thus, 
if  the  result  of  [GVW13]  can  be  improved  to  remove  the  depth  dependency  of  the  ciphertexts  in  the  ABE 
scheme,  one  automatically  obtains  a  corresponding  result  for  ABE  using  our  reduction. 

Our  theorem  needs  the  ABE  scheme  to  be  secure  only  with  a  single  key,  even  though  the  recent 
constructions  [GVW13]  and  [SW12]  can  tolerate  an  arbitrary  number  of  keys. 

Our  main  theorem  is  thus  a  reduction,  which  has  a  number  of  useful  corollaries.  The  first  and  perhaps 
the  most  important  one  shows  how  to  combine  the  leveled  fully  homomorphic  encryption  scheme  from 
[BV  11a,  BGV12]  with  the  recent  construction  of  a  leveled  attribute-based  encryption  scheme  from  [GVW13] 
to  obtain  a  leveled  functional  encryption  scheme  based  solely  on  the  hardness  of  LWE.  In  other  words,  the 
corollary  says  that  for  every  depth  d,  there  is  a  functional  encryption  scheme  for  the  class  of  all  Boolean 
circuits  of  (arbitrary)  polynomial  size  and  depth  at  most  d.  The  size  of  the  ciphertexts  in  the  scheme  grows 
with  d,  and  is  of  course  independent  of  the  size  of  the  circuits  it  supports. 

Let  d  and  p  be  polynomial  functions.  Define  CnMnyprn)  to  be  the  class  of  all  Boolean  circuits  on  n  inputs 
of  depth  at  most  d(n)  and  size  at  mostp(n).  Let  Cn4[n)  :=  UPoiyn„nnaipCM(n)  ,?(«)• 

Corollary  3.2  (The  LWE  Instantiation).  We  have  the  following  two  constructions  of  functional  encryption 
based  on  the  worst-case  hardness  of  lattice  problems: 

•  Assume  that  there  is  a  constant  0  <  e  <  1  such  that  for  every  sufficiently  large  l,  the  approximate 
shortest  vector  problem  gapSVP  in  i  dimensions  is  hard  to  approximate  to  within  a  2°^)  factor 
(in  polynomial  time)  in  the  worst  case.  Then,  for  every  n  and  every  polynomial  d  =  d(n),  there  is 
a  selectively- secure  (succinct  single-key)  functional  encryption  scheme  for  the  class  Cn  Mn\  where 
encrypting  n  bits  produces  ciphertexts  of  length  poly(n,  k,  d1^). 


21 


Approved  for  Public  Release;  Distribution  Unlimited. 

354 


•  Assume  that  there  is  a  constant  0  <  e  <  1  such  that  for  every  sufficiently  large  l,  the  approximate 
shortest  vector  problem  gapSVP  in  £  dimensions  is  hard  to  approximate  to  within  a  iPW  1  factor 
in  time  2°^  in  the  worst  case.  Then,  for  every  n  and  every  polynomial  d  =  d(n),  there  is  afully- 
secure  (succinct  single-key)  functional  encryption  scheme  for  the  class  Cn  ^n\  where  encrypting  n  bits 
produces  ciphertexts  of  length  poly  (n1/6,  k ,  d1^2). 

The  corollary  follows  directly  from  Theorem  3.1,  by  invoking  the  leveled  fully  homomorphic  encryption 
scheme  of  [BV 1  la]  (see  Theorem  2.1)  and  the  leveled  attribute-based  encryption  scheme  of  [GVW13]  (see 
Theorem  2.4).  The  concrete  constructions  and  proofs  in  fact  go  through  the  learning  with  errors  (LWE) 
problem;  we  refer  to  [BVlla,  GVW13]  for  the  concrete  setting  of  parameters. 

Letting  universal  attribute-based  encryption  or  functional  encryption  denote  a  single  attribute-based 
encryption  or  functional  encryption  scheme  scheme,  respectively,  that  supports  the  class  of  all  polynomial-size 
circuits,  we  have  the  following  corollary: 

Corollary  3.3  (Universal  Functional  Encryption).  Assuming  that  fully  homomorphic  encryption  schemes  exist 
and  universal  single-key  attribute-based  encryption  schemes  exist,  there  is  a  universal  single-key  functional 
encryption  scheme. 

Of  the  two  prerequisites  mentioned  above,  we  know  that  fully  homomorphic  encryption  schemes  exist 
(albeit  under  stronger  assumptions  than  merely  LWE).  Thus,  the  corollary  provides  a  way  to  immediately 
translate  any  universal  attribute -based  encryption  scheme  into  a  functional  encryption  scheme.  We  point  out 
that  universal  functional  encryption  schemes,  by  definition,  have  succinct  ciphertexts. 

A  recent  result  of  Gorbunov,  Vaikuntanathan  and  Wee  [GVW12]  shows  how  to  generically  convert 
single-key  functional  encryption  schemes  into  q- keys  functional  encryption  schemes  for  any  bounded  q, 
where  the  latter  provide  security  against  an  attacker  that  can  obtain  secret  keys  of  up  to  q  functions  of  her 
choice.  The  size  of  the  ciphertexts  in  the  q- keys  scheme  grows  polynomially  with  q. 

Corollary  3.4  (Many  queries,  using  [GVW12]).  For  every  q  =  q(n),  there  is  a  (fully/selectively-secure) 
q-keys  succinct  functional  encryption  scheme  for  any  class  of  circuits  C  that  take  n  bits  of  input  and  produce  a 
one-bit  output,  assuming  the  existence  of  primitives  as  in  Theorem  3.1.  The  size  of  the  ciphertexts  ctsizeFE(^) 
in  the  resulting  scheme  is  q  times  as  large  as  in  Theorem  3.1. 

Finally,  a  functional  encryption  scheme  for  circuits  that  output  multiple  bits  can  be  constructed  by 
thinking  of  the  circuit  as  many  circuits  each  with  one-bit  output,  and  modifying  the  key  generation  procedure 
to  produce  keys  for  each  of  them.  This  gives  us  the  following  corollary  although  we  remark  that  more  efficient 
methods  of  achieving  this  directly  are  possible  using  homomoiphic  encryption  schemes  that  pack  multiple 
bits  into  a  single  ciphertext  [SV11,  BGV12,  GHS12a], 

Corollary  3.5  (Many  queries,  many  output  bits).  For  every  q  =  q(n)  and  k  =  k(n),  there  is  a 
(fully/selectively  secure)  q-keys  functional  encryption  scheme  for  any  class  of  circuits  C  that  take  n  bits  of 
input  and  produce  k  bits  of  output,  assuming  the  existence  of  primitives  as  in  Theorem  3.1.  The  size  of  the 
ciphertexts  ctsizepE(w)  in  the  resulting  scheme  is  qk  times  as  large  as  in  Theorem  3.1. 

Remark  3.6  (On  the  necessity  of  single-key  security).  We  note  that  even  though  the  work  of  [GVW1 3] 
provides  an  attribute-based  scheme  that  is  secure  even  if  the  adversary  obtains  secret  keys  for  polynomially 
many  functions,  our  theorem  gives  us  only  a  single-key  secure  scheme.  Indeed,  this  is  inherent  by  the 
impossibility  result  of  [AGVW12]  if  we  ask  for  (even  a  very  weak  notion  of)  simulation  security,  as  we  do 
here.  Corollary  3.4  gives  us  a  way  to  get  (sirnulation-)security  with  q  queries  for  any  a  priori  bounded  q, 
albeit  at  the  expense  of  the  ciphertext  growing  as  a  function  of  q. 
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Remark  3.7  (On  composing  our  functional  encryption  scheme).  One  might  wonder  if  chaining  is  possible 
with  our  FE  scheme.  Namely,  one  could  try  to  generate  keys  for  a  function  f  that  computes  another  function 
fi  on  an  input  x  and  then  outputs  f\  (x)  together  with  a  new  encryption  of  x  under  a  different  public  key  for 
the  FE  scheme.  The  new  encryption  ofx  could  be  used  to  compute  a  second  function  fizix)  and  an  encryption 
of  x  under  yet  another  public  key.  This  chain  could  potentially  repeat  and  its  benefit  is  that  it  cdlows  us  to 
compute  multiple  functions  on  x  (and  overcome  the  single-key  property).  However,  this  approach  allows  only 
a  very  small  number  of  iterations  because,  in  order  to  produce  one  bit  of  output  from  FE.Dec,  the  ciphertexts 
output  by  FE.Enc  are  polynomial  in  n.  To  obtain  an  FE  ciphertext  as  result  of  FE.Dec,  one  needs  to  have 
started  with  ciphertexts  of  size  quadratic  in  the  first  polynomial.  If  we  want  to  chain  the  scheme  q  times,  the 
original  ciphertext  must  have  been  exponential  in  q. 

3.1  Construction 

For  simplicity,  we  construct  FE  for  functions  outputting  one  bit;  functions  with  larger  outputs  can  be  handled 
by  repeating  our  scheme  below  for  every  output  bit. 

From  Claim  2.5,  the  existence  of  a  secure  single -key  ABE  scheme  implies  the  existence  of  a  two-outcome 
single-key  ABE  scheme,  which  we  denote  ABE2.  Let  A  =  A(k)  be  the  length  of  the  ciphertexts  in  the  FF1E 
scheme  (both  from  encryption  and  evaluation).  The  construction  of  FE  =  (FE. Setup,  FE.KeyGen,  FE.Enc, 
FE.Dec)  proceeds  as  follows. 

Setup  FE.Setup(lK):  Run  the  setup  algorithm  for  the  two-outcome  ABE  scheme  A  times: 

(fmpkj,  fmskj)  •(—  ABE2.Setup(lK)  for  i  6  [A]. 

Output  as  master  public  key  and  secret  key: 


MPK  =  (fmpk1, . . . ,  fmpkA)  and  MSK  =  (fmski, . . . ,  fmskA). 


Key  Generation  FE.KeyGen(MSK,  /):  Let  n  be  the  number  of  bits  in  the  input  to  the  circuit  /.  If  hpk  is 
an  FHE  public  key  and  ipi, . . . ,  fin  arc  FHE  ciphertexts,  recall  that  F  Fd  E .  E  va  ly(h  p  k .  fi\ , . . . ,  fin )  is  the  v-th 
bit  of  the  homomorphic  evaluation  of  /  on  ipi, . . .  ,ipn  (FFIE.Eval(hpk,  f,fi  1, . . . ,  V’n)),  where  i  G  [A].  Thus, 
FHE.Eval}  :  {0,  l}ihpkl  x  {0,  l}nA {0, 1}. 

1.  Run  the  key  generation  algorithm  of  ABE2  for  the  functions  FHE.Evalj  (under  the  different  master 
secret  keys)  to  construct  secret  keys: 

f ski  f—  ABE2-KeyGen(fmski,  FHE.Evalj)  for  i  G  [A]. 

2.  Output  the  tuple  fsky  :=  (fski, . . . ,  fskA)  as  the  secret  key  for  the  function  /. 

Encryption  FE.Enc(MPK,  x):  Let  n  be  the  number  of  bits  of  x,  namely  x  =  x\  . . .  Encryption  proceeds 
in  three  steps. 

1.  Generate  a  fresh  key  pair  (hpk,  hsk)  •<—  FHE.KeyGen(lK)  for  the  (leveled)  fully  homomorphic 
encryption  scheme.  Encrypt  each  bit  of  x  homomorphic  ally:  fi  <—  FHE.Encfhpk,  x,).  Let  fi  := 
(ip  1, . . . ,  ipn)  be  the  encryption  of  the  input  x. 
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2.  Run  the  Yao  garbled  circuit  generation  algorithm  to  produce  a  garbled  circuit  for  the  FHE  decryption 
algorithm  FHE.Dec(hsk,  •)  :  {0, 1}A  — >  {0, 1}  together  with  2A  labels  L\  for  i  G  [A]  and  b  G  {0, 1}. 
Namely, 

(r,  {Ll  L\ F-  Gb.Garble(lK,  FHE.Dec(hsk,  •)), 

where  T  is  the  garbled  circuit  and  the  lJ‘  are  the  input  labels. 

3.  Produce  encryptions  ci, . . . ,  c\  using  the  ABE2  scheme: 

Ci  F-  ABE2.Enc  (fmpk.t,  (hpk,  ip),  L°,  L})  for  i  G  [A], 
where  (hpk,  ip)  comes  from  the  first  step,  and  the  labels  ( iJj .  L\)  come  from  the  second  step. 

4.  Output  the  ciphertext  c  =  (ci, . . . ,  c\,  T). 

Decryption  FE.Dec(fsky,  c): 

1.  Run  the  ABE2  decryption  algorithm  on  the  ciphertexts  c\,  .  .  .  ,  c\  to  recover  the  labels  for  the  garbled 
circuit.  In  particular,  let 

Ldf  f-  ABE2.Dec(fski,  cf)  for  i  G  [A], 
where  di  is  equal  to  FHE.Evalj(hpk,  ip). 

2.  Now,  armed  with  the  garbled  circuit  F  and  the  labels  Ld' ,  run  the  garbled  circuit  evaluation  algorithm 
to  compute 

Gb.Eval(r,  Ldl , . . . ,  L'jp)  =  FHE.Dec(hsk,  did2  •  •  •  d\)  =  f(x). 


3.2  Proof 

We  now  proceed  to  prove  Theorem  3.1  by  proving  that  the  theorem  holds  for  our  construction  above. 

Proof  of  Theorem  3.1.  We  first  argue  correctness. 

Claim  3.8.  The  above  scheme  is  a  correct  functional  encryption  scheme  (Def.  2.12). 

Proof.  Let  us  examine  the  values  we  obtain  in  FE.Dec(fskf ,  ci, . . .  ,c\,  T).  In  Step  (1),  by  the  correctness  of 
the  ABE2  scheme  used,  di  is  the  i-th  bit  of  FHE.Evaly(hpk,  ip). 

Therefore,  the  inputs  to  the  garbled  circuit  F  in  Step  (2)  are  the  labels  corresponding  to  FHE.Eval  f  (hpk,  ip). 
By  the  correctness  of  the  FHE  scheme,  decrypting  FHE.Evaly(hpk,  ip)  results  in  fix).  Finally,  by  the 
correctness  of  the  garbling  scheme,  the  FHE  ciphertext  gets  decrypted  correctly,  yielding  f(x)  as  the  output 
ofFE.Dec.  □ 

We  now  prove  the  succinctness  property  which  follows  directly  from  our  construction.  The  output  of 
FE.Enc  consists  of  A  ABE2  ciphertexts  and  a  garbled  circuit.  First,  A  equals  ctsizepHE-  Second,  each  ABE2 
ciphertext  consists  of  two  ABE  ciphertexts  generated  by  ABE.Enc  on  input  nctsizepHE  +  pksizeFHE  bits.  The 
labels  of  the  garbled  circuit  are  poly(ft)  in  size.  Third,  the  garbled  circuit  is  the  output  of  Gb. Garble  so  its 
size  is  polynomial  in  the  size  of  the  input  circuit,  which  in  turn  is  polynomial  in  sksizeFHE  an<3  ctsizeFHE- 
Therefore,  overall,  we  obtain  2ctsizeFHE-ctsizeABE(^  ctsizeFHE+pksizeFHE)+poly(K,  sksizeFHE,  ctsizeFHE)- 
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We  can  thus  see  that  if  FHE  and  ABE  produce  ciphertexts  independent  of  the  circuit  size,  then  so  will  our 
functional  encryption  scheme. 

We  focus  on  the  full  security  case:  namely,  assuming  ABE2  is  fully  secure,  we  show  that  the  resulting  FE 
scheme  is  fully  secure.  We  then  discuss  the  proof  for  the  selective  case. 

For  full  security,  we  construct  a  p.p.t.  simulator  S  that  achieves  Def.  2.13.  S  receives  as  input 
(MPK,  fskf,  /,  f(x),  ln)  and  must  output  c  such  that  the  real  and  ideal  experiments  in  Def.  2.13  are 
computationally  indistinguishable.  Intuitively,  S  runs  a  modified  version  of  FE.Enc  to  mask  the  fact  that  it 
does  not  know  x. 

Simulator  S  on  input  (MPK,  fsky,  f,  f(x),  ln ): 

1.  Choose  a  key  pair  (hpk,  hsk)  FHE.KeyGen(lK)  for  the  homomorphic  encryption  scheme  (where  S 
can  derive  the  security  parameter  k  from  the  sizes  of  the  inputs  it  gets).  Encrypt  0"  (n  zero  bits)  with 
FFIE  by  encrypting  each  bit  individually  and  denote  the  ciphertext  0  :=  (0i  -t—  FHE.Enc(hpk,  0),. . ., 
0n  <—  FHE.Enc(hpk, 0)). 

2.  Let  Simcarbie  be  the  simulator  for  the  Yao  garbling  scheme  (described  in  Def.  2.7)  for  the  class  of 
circuits  corresponding  to  FHE.Dec(hsk,  •).  Run  Simcarbie  to  produce  a  simulated  garbled  circuit  T 
for  the  FHE  decryption  algorithm  FHE.Dec(hsk,  •)  :  {0, 1}A  — >  {0, 1}  together  with  the  simulated 
encoding  consisting  of  one  set  of  A  labels  Lt  for  <  =1  ...  A.  Namely, 

(f ,  {L,}A=1)  <-  SimGarb|e(lK,  f{x),  flFHE-Decthsk,)!  ? 

The  simulator  S  can  invoke  Simcarbie  because  it  knows  f{x),  and  can  compute  the  size  of  the 
FHE.Dec(hsk,  •)  circuit,  and  A  from  the  sizes  of  the  input  parameters. 

3.  Produce  encryptions  ci, . . . ,  c\  under  the  ABE2  scheme  in  the  following  way.  Let 

5i  i  ABE2.Enc  (Vmpkt,  (hpk,  6),  Li:  L^j  , 

where  S  uses  each  simulated  label  L.t  twice. 

4.  Output  c  =  (£1 , ,c\,  f). 


To  prove  indistinguishability  of  the  real  and  ideal  experiments  (Def.  2.13),  we  define  a  sequence  of  hybrid 
experiments,  and  then  invoke  the  security  definitions  of  the  underlying  schemes  (FHE,  garbled  circuit,  and 
ABE2  respectively)  to  show  that  the  outcome  of  the  hybrid  experiments  are  computationally  indistinguishable. 

Hybrid  0  is  the  output  of  the  ideal  experiment  from  Def.  2.13  for  our  FE  construction  with  simulator  S.  We 
denote  it  Expp  ”  A  (=  Exp^  5). 

Hybrid  1  (Exp^  A)  is  the  same  as  Hybrid  0,  except  that  the  simulated  ciphertext  for  Hybrid  1  (which  we 
denote  changes.  Let  c^v>  be  the  ciphertext  obtained  by  running  the  algorithm  of  S,  except  that  in  Step  (3), 
encrypt  x  instead  of  0,  namely: 

c-1}  F-  ABE2.Enc  (fmpk,:,  (hpk,  ip),  Lu  L^j  , 

where  ip  •(—  (FHE.Enc(hpk,  aq), . . . ,  FHE.Enc(hpk,  xn)).  Let 


2^  =  (cS1} 


~(1) 


■  ■  ■  ■  -  L'X 
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Hybrid  2  (Exp^  A)  is  the  same  as  Hybrid  1,  except  that  in  Step  (2),  the  ciphertext  contains  a  real  garbled 
circuit 

<-  Gb.Garble(FHE.Dec(hsk,  •)). 

Let  di  =  FHE.Evalj(hpk,  f>).  In  Step  (3),  include  Ldi  twice  in  the  ABE  encryption;  namely: 


S(2) 


ABE2.Enc  (Vmpk,,  (hpk ,ip),Ldi,Lf 


S(2)  _  (r^ 


=  (cTV..,42),  r). 


and 


Hybrid  3  (Expj^f  A)  is  the  output  of  the  real  experiment  from  Def.  2.13  for  our  FE  construction. 

We  prove  each  pair  of  consecutive  hybrids  to  be  computationally  indistinguishable  in  the  following  three 
lemmas.  Lemmas  3.9,  3.10,  and  3.11. 


Lemma  3.9.  Assuming  F FI  E  is  IND -CPA-secure,  Hybrid  0  and  Hybrid  1  are  computationally  indistinguish¬ 
able. 


Proof.  We  proceed  by  contradiction.  We  assume  that  there  exist  p.p.t.  adversaries  A  =  (A  \ ,  Af)  and  a  p.p.t. 
distinguisher  D  such  that  D  (with  A)  can  distinguish  between  Hybrid  0  and  Hybrid  1  above.  Namely,  there 
exists  a  polynomial  />(•)  such  that,  for  infinitely  many  k, 

|Pr[Z>(Exp^(l"))  =  1]  -  Pr^Expf^n)  =  1]|  >  l/p(«).  (1) 

We  construct  a  p.p.t.  adversary  R  =  (R\.  11-2 )  that  can  break  the  semantic  security  of  FHE.  Adversary  If 
outputs  an  //-bit  value  x  for  some  n,  and  adversary  If  receives  as  input  either  homomorphic  encryption  of 
x  or  of  0n,  and  it  will  distinguish  between  these  two.  Distinguishing  successfully  implies  that  there  is  an 
adversary  that  can  distinguish  successfully  in  Def.  2.5,  by  a  standard  hybrid  argument. 

To  determine  x,  adversary  R\  works  as  follows: 

1.  Run  Exppl3^  S(1K)  (Def.  2.13)  from  Step  (1)  to  Step  (4)  and  let  x  be  the  output  of  A2  in  Step  (4). 

2.  Output  x. 

To  distinguish  between  encryption  of  x  or  0n,  adversary  If  receives  input  hpk*,  the  FHE  public  key,  and 
an  encryption  E*  of  x  or  0n  and  works  as  follows: 


1.  Run  a  modified  algorithm  of  S  by  using  hpk*  instead  of  generating  fresh  FHE  keys  and  using  E* 
instead  of  encrypting  0”.  Namely: 

(a)  Generate  (f ,  (Lj}^=1)  as  in  Step  (2)  of  S. 

(b)  Output  c*  =  (hf,  •  ■  • ,  c^)  for  c*  =  ABE2.Enc(fmpkj,  ((hpk*,  E*),  Li,  Lf). 

2.  Feed  (c*,  T)  to  D  and  output  the  decision  of  D. 


Notice  that  if  E*  is  encryption  of  0n,  If  simulates  Hybrid  0  perfectly;  when  E*  is  encryption  of  x,  If 
simulates  Hybrid  1  perfectly.  Therefore,  D  must  have  a  probability  of  distinguishing  between  the  two  cases  of 
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at  least  1  /p(k)  (Eq.  (1));  moreover,  whenever  D  distinguishes  correctly,  R  also  outputs  the  correct  decision. 
Therefore: 

|Pr[x  <-  f?i(lK);  (hsk*,  hpk*)  <-  FHE.KeyGen(lK)  :  i?2(hpk*,  FHE.Enc(hpk*,  x))  =  1]- 
Pr[(hsk*,  hpk*)  <-  FHE.KeyGen(lK)  :  i?2(hpk*,  FHE.Enc(hpk*,  0n))  =  1] |  = 
|Pr[Z>(Exp*°A(l"))  =  1]  -Pr[D(Exp^A(l'£))  =  1] [  >  l/p(«), 

which  contradicts  the  IND-CPA  security  of  the  FHE  scheme.  □ 

Lemma  3.10.  Assuming  the  garbled  circuit  is  circuit-  and  input-private  (Def  2.7),  Hybrid  1  and  Hybrid  2 
are  computationally  indistinguishable. 

Proof.  We  proceed  by  contradiction.  Assume  there  exist  p.p.t.  adversaries  A  =  (Ai,A2)  and  a  p.p.t. 
distinguisher  D  such  that  D  (with  A)  can  distinguish  Flybrid  1  and  Hybrid  2  above.  Namely,  there  exists  a 
polynomial  p  such  that,  for  infinitely  many  u, 

|  Pr[D(Exp^iA(l's))  =  1]  -  Pr[D(ExP|^(l"))  =  1] |  >  1  /p(«).  (2) 

We  construct  a  stateful  p.p.t.  adversary  R  =  ( R.A ,  R.  I))  that  can  break  the  security  of  the  garbling 
scheme  from  Def.  2.7.  The  adversary  R.A  has  to  provide  a  circuit  G  and  an  input  I  and  then  R.D  needs  to 
distinguish  between  the  simulated  and  the  real  garbled  circuits  and  input  encodings. 

The  adversary  R.A  computes  I  and  G  as  follows. 

1.  Run  Steps  (1) — (4)  from  Def.  2.13,  which  are  the  same  in  Hybrid  1  and  Hybrid  2  and  obtain  /  from  A\ 
and  x  from  A2. 

2.  Generate  (hsk,  hpk)  FHE.KeyGen(lK)  and  let  ^  <—  FFIE.Enc(hpk,  x). 

3.  Output  Gf)  :=  FHE.Dec(hsk,  •)  and  I  :=  FHE.Eval/-(hpk,  f)  and  the  following  state  for  R.D: 
a  =  (f,  fmpkj,  hpk). 

The  adversary  R.D  receives  as  input  a  garbled  circuit  V*  and  a  set  of  labels,  one  for  each  i:  {L*}^=1. 
These  could  be  outputs  of  either  Simcarbie  or  of  Gb.Garble/Gb.Enc  and  R.D  decides  which  is  an  output  of 
as  follows: 

1.  Compute  c*  =  ({ABE2.Enc(fmpkj,  ((hpk, 

2.  Run  D  on  c*  and  output  what  D  outputs. 

Notice  that  if  (r*,  {L*}^=1)  are  outputs  of  Sim^arbie.  R  simulates  Hybrid  1  perfectly;  when  (P*.  { H*  }('=]) 
are  outputs  of  the  real  garbling  scheme,  R  simulates  Hybrid  2  perfectly.  Therefore,  the  probability  that  D 
distinguishes  between  the  two  cases  at  least  is  1  /p(k)  (Eq.  (2));  moreover,  whenever  D  distinguishes  correctly, 
R  also  outputs  the  correct  decision.  Therefore: 

|Pr[(G, /)  <-  R.A{  1K)  :  R.D(r,{Li}f=1)  =  1]  -Pr[(G,7)  P-  R.A{  1K)  :  R.D(T,  {Lj}^=1)  =  1]|  = 

|  Pr[D(Exp^A(l"))  =  1]  -  Pr[D(Exp^(l«))  =  1] |  >  l/p(«), 

where,  (T,  {Lj}^=1)  are  outputs  of  Sim^arbie  ^nd  (T,  {Ej}^=1)  are  outputs  of  Gb.Garble/Gb.Enc.  This  relation 
contradicts  the  security  of  the  garbling  scheme  Def.  2.7.  □ 
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Lemma  3.11.  Assuming  the  underlying  ABE2  scheme  is  fully  secure ,  Hybrid  2  and  Hybrid  3  in  the  fully 
secure  setting  above  are  computationally  indistinguishable. 

Proof  In  Hybrid  2  and  Hybrid  3,  there  are  A  ABE2  encryptions,  each  with  a  pair  of  independent  ABE2  keys. 
First,  we  would  like  to  prove  that  if  Hybrid  2  and  Hybrid  3  are  computationally  indistinguishable  with  only 
one  of  these  encryptions,  then  they  are  computationally  indistinguishable  with  A  encryptions.  This  would 
enable  us  to  focus  on  only  one  ABE2  ciphertext  for  the  proof. 

The  argument  proceeds  in  a  standard  way  with  a  set  of  sub-hybrids,  one  for  each  index  i  =  0  . . .  A.  The 
argument  is  straightforward  because  c,  and  Cj  (for  i  f  j)  use  independently  generated  keys  and  the  values 
encrypted  with  these  keys  are  known  to  R.  Hence,  we  present  the  hybrid  argument  briefly.  Sub-hybrid  0 
corresponds  to  Hybrid  2  and  sub-hybrid  A  corresponds  to  Hybrid  3.  Sub-hybrid  i  has  the  first  i  ciphertexts  as 
in  Hybrid  2  and  the  rest  A  —  i  as  in  Hybrid  3. 

If  an  adversary  A  can  distinguish  between  sub-hybrids  i  —  1  and  i,  for  some  i,  then  he  can  distinguish 
Hybrid  2  and  Hybrid  3  for  only  one  pair  of  ciphertexts  (c?,  cf)'  the  reason  is  that  we  can  build  an  adversary 
B :  B  places  the  challenge  ciphertext  in  slot  i  of  the  challenge  to  A  and  produces  the  ciphertexts  for  all  other 
slots  j  f  i  with  the  correct  distribution;  B  can  do  so  because  these  ciphertexts  are  encrypted  with  fresh  ABE2 
keys  and  B  has  all  the  information  it  needs  to  generate  them  correctly. 

Now  we  are  left  to  prove  that  Hybrid  2  and  Hybrid  3  are  indistinguishable  when  there  is  only  one 
ciphertext,  say  the  t-th  ciphertext.  Namely,  we  need  to  prove  that: 

|  (stated,  cf])  <-  Expf|j4(lK)|  w  j  (stated,  cf})  <-  Expf|A(lK)|.  (3) 

We  prove  this  statement  by  contradiction.  Assume  there  exist  p.p.t.  adversaries  A  =  {A\,Af)  and 
distinguisher  D  that  can  distinguish  the  distributions  in  (3);  namely,  there  exists  a  polynomial  pf)  such  that, 
for  infinitely  many  n. 


|  Pr[D(Exp^A(l*))  =  1]  -  Pr[Z2(Exp^(l"))  =  1] |  >  l/p(«).  (4) 

We  construct  a  p.p.t.  adversary  R  =  (R) .  If.  Ilf  that  breaks  the  security  of  ABE2  from  Def.  2.1 1.  If, 
R2  and  A3  send  state  to  each  other  as  in  Def.  2.11,  but  for  simplicity  we  will  not  denote  this  explicitly.  IR 
aims  to  guess  b  in  this  definition. 

Intuition.  A  and  D  can  distinguish  between  Hybrid  2  and  Hybrid  3.  The  only  difference  between  these 
hybrids  is  that  eg  contains  encryption  of  (Lde ,  Ldf)  versus  (Lyf  L]~de).  However,  the  ABE2  scheme  does  not 
decrypt  L^d>  by  the  definition  of  dg,  so  its  security  hides  the  value  of  h)  df .  Since  A  and  I)  can  distinguish 
between  these  hybrids,  they  must  be  breaking  the  security  of  ABE2.  Therefore,  R  will  use  Lj  and  Lj  (  as 
part  of  its  answers  to  C  and  then  use  I)  to  distinguish  its  challenge. 

Specifically,  the  adversary  R\  receives  as  input  fmpk*  in  Step  2  of  Def.  2.1 1  and  computes  P  as  follows: 

1.  Interact  with  adversary  A\  by  running  Steps  (1)— (2)  from  Defs.  2.13  as  follows. 

(a)  Let  fmpk<?  :=  fmpk*.  Generate  the  rest  of  ABE2  keys  using  the  ABE2. Setup  algorithm: 
(fmpkj,  fmskj)  •*—  ABE2-Setup(lK)  fori  f  i. 

(b)  Receive  /  from  A\  and  output  P  :=  FHE.Evalj. 

Adversary  R2  receives  skp  in  Step  4  of  Def.  2.1 1  and  computes  M,  Mq,  M\ ,  xc  as  follows: 
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1.  Continue  interaction  with  ^2.  To  provide  fskj  to  compute  fskj  -t—  ABE2.KeyGen(fmsk,;,  FHE.Evaly) 
for  i  7^  £,  and  let  fsk^  :=  sk*P. 

2.  Receive  x  from  ,4 2. 

3.  Run  the  real  garbled  circuit  generation  as  in  Hybrid  2  and  3.  Let  Ldl  be  defined  as  in  Hybrid  2.  Provide 

M  :=  Lf,  M0  :=  Lde  and  Mx  :=  L)~d*. 

4.  Let  xc  :=  (hpk,  -0)  where  ip  •<—  (FHE.Enc(hpk,  x\), . . . ,  FHE.Enc(hpk,  xn)),  the  bitwise  FHE 
encryption  of  x. 

5.  Output  (M,  Mo,  M\,xc). 

Adversary  R3  receives  as  input  a  challenge  ciphertext  c*  and  decides  if  it  corresponds  to  Mo  or  to  M\  as 
follows: 

1.  Let  eg  :=  c*  and  provide  (state',,  eg)  to  I). 

2.  Output  D’ s  guess. 

In  order  for  D  to  distinguish  (as  in  Eq.  (4)),  the  input  distribution  to  A  must  be  the  one  from  Hybrid  2  or 

3.  We  can  see  that  this  is  the  case:  if  b  =  0,  R  simulates  Hybrid  2  perfectly,  and  if  b  =  1,  It  simulates  Hybrid 

3  perfectly.  Moreover,  whenever  D  distinguishes  correctly,  R  also  outputs  the  correct  decision.  Therefore,  by 
a  simple  calculation,  we  can  see  that 

Pr[ExpABE2,i?(lK)  =  1]  ^  1/2  +  1/2 p{n), 

which  contradicts  the  security  of  the  ABE2  scheme,  Def.  2.1 1.  □ 

Returning  to  the  proof  of  our  theorem,  by  transitivity  of  computational  indistinguishability,  we  showed 
that  Hybrid  0  (the  ideal  experiment)  is  equivalent  to  Hybrid  3  (the  real  experiment),  thus  concluding  our 
proof. 

Selective  security.  The  proof  for  the  selective  case  follows  similarly.  The  simulator  S  and  the  four  hybrids 
are  the  same.  Lemmas  3.9  and  3.10  proceed  similarly,  except  that  R  now  interacts  with  A  as  in  the  selective 
FE  definition  Def.  2.14  rather  than  Def.  2.13.  The  argument  of  Lemma  3.11  is  the  same,  except  that  the 
order  of  some  operations  changes.  This  lemma  makes  the  resulting  FE  scheme  selective  if  one  starts  from  a 
selective  ABE2  scheme.  □ 

4  Reusable  Garbled  Circuits 

In  this  section,  we  show  how  to  construct  garbled  circuits  that  can  be  reused;  namely,  a  garbled  circuit  that 
can  run  on  an  arbitrary  number  of  encoded  inputs  without  compromising  the  privacy  of  the  circuit  or  of  the 
input.  For  this  goal,  we  build  on  top  of  our  functional  encryption  scheme. 

The  syntax  and  correctness  of  the  reusable  garbling  schemes  remains  the  same  as  the  one  for  one-time 
garbling  schemes  (Def.  2.6).  In  Sec.  2.4,  we  provided  the  one-time  security  definition  for  circuit  and  input 
privacy,  Def.  2.7.  We  begin  by  defining  security  for  more  than  one-time  usage. 
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Definition  4.1  (Input  and  circuit  privacy  with  reusability).  Let  RGb  be  a  garbling  scheme  for  a  family  of 
circuits  C  =  {Cn}ngfsJ.  For  a  pair  ofp.p.t.  algorithms  A  =  (A  \ .  A2 )  and  a  p.p.t.  simulator  S  =  (Si,  S2), 
consider  the  following  two  experiments: 


Exp^'b,A(lK): 


ExP'RdaabU,s(1K): 


1:  (C,  states)  <—  ^4i(lK) 

2.-  (gsk,T)  <- RGb-Garble^C) 

3:  a^A*Gb  Enc{g5k’  \c,  r,  states) 

4:  Output  a 


l:  (C, states)  ^4i(lK) 

2:  (f,  states)  <-  5i (lK,l'cl) 

3:  a  <r-  ^4°('’C,)[[states]](^p;  states) 
4:  Output  a 


In  the  above ,  0(-,  C)  [[states]]  is  an  oracle  that  on  input  x  from  A2,  runs  S2  with  inputs  C(x),  1^,  and 
the  latest  state  of  S;  it  returns  the  output  of  S2  (storing  the  new  simulator  state  for  the  next  invocation). 

We  say  that  the  garbling  scheme  RGb  is  input-  and  circuit-private  with  reusability  if  there  exists  a  p.p.t. 
simulator  S  such  that  for  all  pairs  ofp.p.t.  adversaries  A  =  (A\,  Af),  the  following  two  distributions  are 
computationally  indistinguishable: 


We  can  see  that  this  security  definition  enables  reusability  of  the  garbled  circuit:  A2  is  allowed  to  make 
as  many  queries  for  input  encodings  as  it  wants. 

From  now  on,  by  reusable  garbling  scheme,  we  will  implicitly  refer  to  a  garbling  scheme  that  has  input 
and  circuit  privacy  with  reusability  as  in  the  definition  above,  Def.  4.1. 

Remark  4.1.  We  can  provide  an  alternate  syntax  for  a  reusable  garbling  scheme,  and  we  can  also  construct 
a  scheme  with  this  syntax  (and  a  similar  security  definition)  from  our  functioned  encryption  scheme.  This 
syntax  has  an  additional  setup  algorithm  (separate  from  the  garble  algorithm)  that  produces  the  secret  key 
necessary  for  encoding  and  for  circuit  garbling;  such  a  syntax  would  allow  the  garbled  circuit  to  be  generated 
after  the  encodings. 

Remark  4.2.  We  do  not  provide  a  definition  of  authenticity  because  it  is  a  straightforward  extension  of  our 
scheme  and  is  already  achieved  by  [GVW13  ].  We  focus  on  circuit  and  input  privacy,  which  have  not  been 
achieved  by  previous  work. 

Recall  the  class  of  circuits  Cn^(n)  defined  for  Corollary  3.2. 

Theorem  4.3.  There  exists  a  polynomial  p,  such  that  for  every  depth  d  =  d(n )  function  of  the  input  size  n, 
there  is  a  reusable  garbling  scheme  for  any  class  of  boolean  circuits  {Cn.r/}nGr  j,  assuming  there  is  a  fully 
secure  single-key  functional  encryption  scheme  for  any  class  of  boolean  circuits  {Cnpm\  }  neN- 

Corollary  4.4  (The  LWE  Instantiation).  For  every  integer  n  E  N,  polynomial  function  d  =  d(n),  there  is  a 
reusable  garbling  scheme  for  the  class  Cn^(n)>  under  the  following  assumption:  there  is  a  constant  0  <  e  <  1 
such  that  for  every  sufficiently  large  £,  the  approximate  shortest  vector  problem  gapSVP  in  l  dimensions  is 
hard  to  approximate  to  within  a  20'1'  >  factor  in  time  2(>(r  1  in  the  worst  case. 

The  proof  of  this  corollary  follows  from  Theorem  4.3  when  instantiating  the  functional  encryption  scheme 
with  the  one  from  Corollary  3.2. 

Denote  by  universal  reusable  garbling  scheme,  a  reusable  garbling  scheme  for  the  class  of  all  polynomial¬ 
sized  circuits.  Then,  the  following  corollary  follows  directly  from  Theorem  4.3: 
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Corollary  4.5  (Universal  reusable  garbled  circuits).  If  there  is  a  universal  single-key  filly  secure  functional 
encryption  scheme,  there  is  a  universal  reusable  garbling  scheme. 

Notice  that  our  functional  encryption  tool  (FE)  already  gives  reusable  garbled  circuits  with  input  privacy 
but  no  circuit  privacy:  the  garbling  of  C  is  FE.KeyGen(fmsk,  C),  whereas  the  encoding  of  the  input  x  is 
FE.Enc(fmpk,  x).  The  fact  that  our  scheme  is  single -key  does  not  pose  a  limitation  because  the  single-key 
corresponds  to  the  circuit  to  garble  (and  any  input  encoding  need  only  work  with  one  garbled  circuit).  Since 
the  single-key  for  one  function  works  with  an  arbitrary  number  of  encrypted  inputs,  the  resulting  garbled 
circuit  is  reusable. 

However,  the  problem  is  that  FE  does  not  hide  the  circuit  C,  which  is  a  required  property  of  garbling 
schemes.  The  insight  in  achieving  circuit  privacy  is  to  use  the  input-hiding  property  of  the  FE  scheme  to  hide 
the  circuit  as  well.  The  first  idea  that  comes  to  mind  is  to  hide  C  by  including  it  in  the  ciphertext  together 
with  the  input  x.  Specifically,  instead  of  providing  a  key  for  circuit  C,  the  encryptor  runs  FE.KeyGen  on  a 
universal  circuit  U  that  on  input  (C,  x)  computes  C(x).  Notice  that  U  can  be  public  because  it  carries  no 
information  about  C  other  than  its  size.  Now  the  encryption  of  x  consists  of  an  encryption  of  (C,  x)  using 
FE.Enc.  In  this  way,  we  can  see  that  the  resulting  garbled  circuit  satisfies  the  correctness  property.  Moreover, 
for  security,  FE  hides  the  input  ( C ,  x)  so  it  would  hide  the  circuit  C  as  well. 

Nevertheless,  this  approach  is  not  useful  because  the  encoding  is  as  large  as  the  circuit  C  (in  particular', 
RGb.Enc  no  longer  satisfies  the  efficiency  property  in  Def.  2.6).  Moreover,  in  this  case,  the  standard  one-time 
garbling  schemes  would  be  enough  because  one  could  produce  a  fresh  garbled  circuit  with  each  ciphertext. 

To  overcome  this  problem,  the  idea  is  to  provide,  together  with  the  ciphertext  of  x,  the  ability  to  decrypt  C 
rather  than  the  entire  description  of  C.  Specifically,  let  E  be  the  encryption  of  the  circuit  C  with  a  semantically 
secure  symmetric  encryption  scheme  under  a  secret  key  sk.  The  garbling  of  C  consists  of  running  the  key 
generation  FE.KeyGen  on  a  circuit  Ue  that  includes  E  and  works  as  follows.  On  input  (x,  sk)  the  circuit  Ue 
decrypts  E  to  obtain  C,  and  outputs  the  result  of  running  C  on  x.  Even  though  FE.KeyGen(fmsk,  Ue)  does 
not  hide  Ue,  the  description  of  Ue  does  not  leak  C  because  C  is  encrypted.  An  encoding  by  RGb.Enc  of  x 
thus  consists  of  running  the  encryption  algorithm  FE.Enc  on  (x,  sk). 

4.1  Construction 

We  construct  a  reusable  garbling  scheme  RGb  =  (RGb. Garble,  RGb.Enc,  RGb.Eval)  as  follows.  Let  E  = 
(E.KeyGen,  E.Enc,  E.Dec)  be  a  semantically  secure  symmetric -key  encryption  scheme. 

Garbling  RGb.Garble(lK,  C ): 

1.  Generate  FEkeys  (fmpk,  fmsk)  •<—  FE.Setup(lK)  and  a  secret  key  sk  E.KeyGen(lK). 

2.  Let£’:=  E.Enc(sk,  C). 

3.  Define  Ue  to  be  the  following  universal  circuit: 

Ue  takes  as  input  a  secret  key  sk  and  a 
value  x: 

(a)  Compute  C  :=  E.Dec(sk,  E). 

(b)  Run  C  on  x. 


4.  Let  T  FE.KeyGen  (fmsk,  Ue)  be  the  reusable  garbled  circuit. 
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5.  Output  gsk  :=  (fmpk,  sk)  as  the  secret  key  and  T  as  the  garbling  of  C. 

Encoding  RGb.Enc(gsk,  x ):  Compute  cx  <—  FE.Enc(fmpk,  (sk,  x))  and  output  cx. 

Evaluation  RGb.Eval(r,  cx ):  Compute  and  output  FE.Dec(r,  cx). 

The  existence  of  a  semantically  secure  encryption  scheme  does  not  introduce  new  assumptions  because 
the  FE  scheme  itself  is  a  semantically  secure  encryption  scheme  if  no  key  (computed  by  FE.KeyGen)  is  ever 
provided  to  an  adversary. 

Tightness  of  the  scheme.  The  astute  reader  may  have  observed  that  the  resulting  scheme  requires  that  the 
encodings  be  generated  in  the  secret  key  setting  because  the  encoding  of  x  includes  sk.  It  turns  out  that 
generating  encodings  privately  is  in  fact  necessary;  if  the  encodings  were  publicly  generated,  the  power  of  the 
adversary  would  be  the  same  as  in  traditional  obfuscation,  which  was  shown  impossible  [BGI+01,  GK05] 
(see  discussion  in  Sec.  1.1.2). 

One  might  wonder  though,  whether  a  reusable  garbling  scheme  exists  where  the  encoding  generation 
is  secret  key,  but  RGb. Garble  is  public  key.  We  prove  in  Sec.  4.3  that  this  is  also  not  possible  based  on  the 
impossibility  result  of  [AGVW12];  hence,  with  regard  to  public  versus  private  key,  our  reusable  garbling 
result  is  tight. 

4.2  Proof 

Proof  of  Theorem  4.3.  We  first  argue  the  scheme  satisfies  the  correctness  and  efficiency  properties  in  Def.  2.6. 
Claim  4.6.  The  above  scheme  RGb  is  a  correct  and  efficient  garbling  scheme. 

Proof.  We  can  easily  see  correctness  of  RGb.Eval: 

RGb.Eval(T,  cx)  =  FE.Dec(T,  cx)  (by  the  definition  of  RGb.Eval) 

=  Ue( sk,  x)  (by  the  correctness  of  FE) 

=  C(x)  (by  the  definition  of  Ue)- 

The  efficiency  of  RGb  depends  on  the  efficiency  of  the  FE.Enc  algorithm  and  the  length  of  gsk  depends  on  the 
FE. Setup.  If  the  runtime  of  FE.Enc  does  not  depend  on  the  class  of  circuits  to  be  computed  at  all,  the  same 
holds  for  RGb.Enc’s  efficiency.  If  FE.Enc  and  FE. Setup  depend  on  the  depth  of  the  circuits  to  be  computed, 
as  is  the  case  in  our  LWE  instantiation,  RGb.Enc’s  runtime  and  |gsk|  also  depend  on  the  depth  of  the  circuits, 
but  still  remain  independent  of  the  size  of  the  circuits,  which  could  potentially  be  much  larger.  □ 

We  can  see  that  to  obtain  a  RGb  scheme  for  circuits  of  depth  d,  we  need  a  FE  scheme  for  polynomially 
deeper  circuits:  the  overhead  comes  from  the  fact  that  U  is  universal  and  it  also  needs  to  perform  decryption 
of  E  to  obtain  C. 

To  prove  security,  we  need  to  construct  a  simulator  S  =  (Si,  Sf)  satisfying  Def.  4.1,  assuming  there  is  a 
simulator  SimpE  that  satisfies  Def.  2.13. 

To  produce  a  simulated  garbled  circuit  f,  Si  on  input  (1K,  l^l)  runs: 

1.  Generate  fresh  fmpk,  fmsk,  and  sk  as  in  RGb. Garble. 

2.  Compute  E  :=  E.Enc(sk,  0^1).  (The  reason  for  encrypting  is  that  Si  does  not  know  C). 

3.  Compute  and  output  T  -t—  FE.KeyGen(fmsk,  Ug). 
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5*2  receives  queries  for  values  x± ,xt  E  {0, 1}*  for  some  t  and  needs  to  output  a  simulated  encoding 
for  each  of  these.  To  produce  a  simulated  encoding  for  x\,  S-2  receives  inputs  (C'(xj),  1^1,  and  the  latest 
simulator’s  state)  and  invokes  the  simulator  SimFE  of  the  FE  scheme  and  outputs 

cx  :=  SimFE(fmpk,  fsk^,  Up,C(x),  l|sk|+W). 

A  potentially  alarming  aspect  of  this  simulation  is  that  S  generates  a  key  for  the  circuit  C)lcl  Whatever 
circuit  0^1  may  represent,  it  may  happen  that  there  is  no  input  x  to  ()lr  that  results  in  the  value  C(x).  The 
concern  may  then  be  that  SimFE  may  not  simulate  correctly.  However,  this  is  not  a  problem  because,  by 
semantic  security,  E  and  E  are  computationally  indistinguishable  so  SimFE  must  work  correctly,  otherwise  it 
breaks  semantic  security  of  the  encryption  scheme  E. 

We  now  prove  formally  that  the  simulation  satisfies  Def.  4.1  for  any  adversary  A  =  (Ai,^). 
Let  us  assume  that  the  a  output  of  A2  is  its  view,  namely,  all  the  information  A 2  receives  in  the 
protocol,  ( C ,  states,  T,  { x, ,  cXi}j=1).  If  the  outcome  of  the  real  and  ideal  experiments  are  computationally 
indistinguishable  in  this  case,  then  they  are  computationally  indistinguishable  for  any  other  output  strategy  of 
Ao  because  D  can  always  run  A2  on  its  view  since  A2  is  p.p.t..  Therefore,  we  would  like  to  show  that: 

|  (C,  states,  I\  {xi,  cXi}j=1)  ■<—  ExpRQlbjj4(l,')|  « 

|  (C,  states,  f,  {xi,  cXi}\=1)  ■<—  ExpRGbA  5(1K)  j  . 

Game  0:  The  ideal  game  of  Def.  4.1  with  simulator  S;  we  recall  that  the  output  distribution  in  this  case  is 
(C,  states,  FE.KeyGen(fmsk,  Ug),  {x^  SimFE(fmpk,  fsk C(xi ),  l|lil+|sk|)}-=1) . 

Game  1:  The  same  as  Game  0,  but  E  is  replaced  with  E  =  E.Enc(sk,  C).  That  is,  the  output  distribution  is 
(C,  states,  T,  {xi:  SimFE(fmpk,  fsk^,  UE,  C{xi ),  l|xi|+|sk| )} -=1) . 

Game  2:  The  real  game  with  our  construction  for  RGb.  It  consists  of  the  output  distribution 

(C,  states,  T ,  {xi,  cXi}j=1) . 

First,  let  us  argue  that  the  distributions  output  by  Game  0  and  Game  1  are  computationally 
indistinguishable.  Note  that  these  two  distributions  differ  only  in  E  and  E.  Since  these  distributions  do  not 
contain  sk  or  any  other  function  of  sk  other  than  E/E,  by  semantic  security  of  the  encryption  scheme,  we 
can  show  these  two  distributions  are  computationally  indistinguishable.  Finally,  Lemma  4.7  proves  that  the 
outputs  of  Game  1  and  Game  2  are  also  computationally  indistinguishable,  which  concludes  our  proof. 

Lemma  4.7.  Assuming  FE  is  FULL-SIM-sea/re,  the  outputs  of  Game  1  and  Game  2  are  computationally 
indistinguishable. 

Proof.  The  proof  of  the  lemma  is  by  contradiction.  We  assume  there  exist  p.p.t.  adversaries  A  =  {A\,  .4 2) 
and  p.p.t.  distinguisher  D  such  that  D  with  A  can  distinguish  Game  1  and  Game  2.  Namely,  there  exists  a 
polynomial  p(-)  such  that,  for  infinitely  many  k, 

I  Pr[D(Expg3‘(l“))  =  1]  -  Pr[D(Expgl"/{l“))  =  1] |  >  1/p(k).  (5) 
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We  construct  adversaries  that  break  the  full  security  of  the  functional  encryption  scheme  Def.  2.13.  We 
call  these  adversaries  AFE  =  (AFE.  AEE)  and  DFE  using  the  “FE”  superscript  to  differentiate  them  from 
the  adversaries  distinguishing  Game  1  and  2.  In  fact,  we  construct  adversaries  AFE  and  DFE  that  break  a 
modified  version  of  Def.  2.13:  the  modification  is  that  AFE  can  repeat  Steps  (4-5)  as  many  times  as  it  wishes 
and  adaptively;  more  precisely,  for  the  i-th  repetition  of  Steps  (4-5),  AFE  can  ask  for  an  encryption  of  an 
input  Xi  where  x,  could  be  determined  based  on  the  previous  values  and  encryptions  of  x 2j-i;  AFE 
receives  either  a  real  encryption  or  a  simulated  encryption  as  in  Step  (5),  but  either  all  encryptions  are  real  or 
all  are  simulated.  We  can  see  that  if  AFE  and  DFE  break  this  modified  definition,  then  they  must  break  the 
original  definition  (with  a  polynomially  smaller  advantage):  this  implication  follows  from  a  standard  hybrid 
argument  possible  because  the  encryption  of  Xi  is  public  key. 

On  input  fmpk,  adversary  AFE  works  as  follows: 

1.  Run  A\  on  input  1K  and  obtain  C  and  states . 

2.  Choose  sk  <—  E.KeyGen(lK),  encrypt  E  <—  E.Enc(sk,  C ),  and  let  Ue  be  the  circuit  described  above. 

3.  Output  function  Ue  and  stateEE  :=  (sk,  Ue,  states). 

On  input  (fsk[/B,  stateEE),  adversary  AFE  works  as  follows: 

1.  Let  T  :=  fsk uE. 

2.  Run  A2  on  Ue,  I  and  state,,!  by  answering  to  its  oracle  queries  as  follows. 

(a)  Consider  the  i-th  oracle  query  ( Xi ,  states).  Output  (xj,sk). 

(b)  Receive  as  input  CT,  which  is  either  the  real  ciphertext  c,  <—  FE.Encffmpk,  (a;,;,  sk))  or 
the  simulated  ciphertext  c*  4—  Simp^fmpk,  r,  Ue,  C(xi),  lW+lskl).  Respond  to  A 2  with 
(CT*,  states). 

(c)  Repeat  these  steps  until  A 2  finishes  querying  for  encodings,  and  outputs  a. 

3.  Output  a. 

Adversary  DFE  is  the  same  as  1). 

When  the  encodings  CT,  are  the  ideal  ciphertexts,  we  can  see  that  (AEE,  AfE)  simulate  perfectly  Game 
1 ;  hence 

Pr[DFE(Exptd“J,FI!(l*))  =  1]  =  Pr[D(Exp°l"j'(l«))  =  1], 

When  the  encodings  CT,  are  the  real  ciphertexts,  (.4FE,  AFE)  simulate  perfectly  Game  2  and  thus 
Pr[JDFE(Exp-lAFE(l«))  =  1]  =  Pr[D(Exp^2(l«))  =  1], 

By  Eq.  (5),  we  have 

Pr[BFE(Exp““J1F6(l'"))  =  1]  -  Pr[DFE(Exp'“VE(l“))  =  1]|  >  1  /„(«), 

which  contradicts  FULL-SI M-security  of  FE.  CT 

Having  proved  that  Game  0  and  Game  1  are  computationally  indistinguishable,  and  that  Game  1  and 
Game  2  are  computationally  indistinguishable,  we  conclude  that  Game  0  and  Game  2  are  computationally 
indistinguishable,  and  therefore  that  garbling  scheme  RGb  is  input-  and  circuit -private  with  reusability.  □ 
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4.3  Impossibility  of  Public- Key  Reusable  Garbled  Circuits 

In  this  section,  we  show  that  a  public-key  reusable  garbling  scheme  is  impossible.  Our  argument  is  at  a  high 
level  because  it  follows  from  existing  results  straightforwardly. 

A  public-key  reusable  garbling  scheme  would  have  the  following  syntax: 

Definition  4.2  (Public-key  garbling  scheme).  A  public-key  garbling  scheme  PubGb  for  the  class  of  circuits 
{Cn}neN,  with  Cn  a  set  of  boolean  circuits  taking  n  bits  as  input,  is  a  tuple  ofp.p.t.  algorithms  (PubGb. Setup, 
PubGb. Garble,  PubGb. Enc,  PubGb. Eval)  such  that 

•  PubGb. Setup(lK);  Takes  as  input  the  security  parameter  1K  and  outputs  a  secret  key  gsk  and  a  public 
key  gpk. 

•  PubGb. Garble(gpk,  C):  Takes  as  input  a  public  key  gpk  and  a  circuit  C,  and  outputs  the  garbled 
circuit  r  of  the  circuit  C. 

•  PubGb.  Enc(gsk,  x):  Takes  as  input  the  secret  key  gsk  and  an  input  x,  and  outputs  an  encoding  cx. 

•  PubGb. Eval(r,  cx):  Takes  as  input  a  garbled  circuit  X  and  an  encoding  cx  and  outputs  a  value  y. 

Correctness.  For  all  polynomials  n(-),  for  all  sufficiently  large  security  parameters  n,  for  n  =  n{n),  for  all 
circuits  C  E  Cn,  and  for  all  x  E  {0,  l}n, 

Pr[(gsk,  gpk)  t—  PubGb. Setup(lK);  T  -c—  PubGb. Garble(gpk,  C);  cx  < —  PubGb. Enc(gsk,  x)  : 

PubGb. Eval(r,  cx)  =  C'(x)]  =  1  —  negl(fc). 

The  natural  security  definition  of  circuit-private  definition  of  this  new  scheme  is  similar  in  flavor  to 
Def.  2.13,  but  we  do  not  elaborate.  (In  fact,  this  definition  can  be  relaxed  to  not  require  input  privacy  for  the 
impossibility  result  to  still  hold.) 

The  first  step  in  the  impossibility  argument  is  to  note  that  the  syntax  and  correctness  of  a  public- 
key  garbling  scheme  is  the  same  as  the  syntax  of  a  functional  encryption  scheme  (Def.  2.12)  with  the 
following  correspondence  of  algorithms:  PubGb. Setup  corresponds  to  FE. Setup,  PubGb. Garble  corresponds 
to  the  encryption  algorithm  FE.Enc,  PubGb. Enc  corresponds  to  FE.KeyGen  and  PubGb. Eval  corresponds 
to  FE.Dec.  Note  that  PubGb. Enc  does  not  correspond  to  FE.Enc  but  to  FE.KeyGen  because  PubGb. Enc  is 
a  secret  key  algorithm  and  FE.Enc  is  a  public-key  algorithm.  Therefore,  an  encoding  of  an  input  x  in  the 
reusable  garbling  scheme  corresponds  to  a  secret  key  for  a  function  fx  in  the  functional  encryption  scheme. 

Moreover,  considering  this  mapping,  it  is  straightforward  to  show  that  a  circuit-private  public -key  garbling 
scheme  implies  a  secure  functional  encryption  scheme.  Since  the  reusable  garbling  scheme  allows  an  arbitrary 
number  of  inputs  being  encoded,  it  implies  that  the  functional  encryption  scheme  can  generate  an  arbitrary 
number  of  secret  function  keys  sk fx\  furthermore,  in  this  functional  encryption  scheme,  the  size  of  the 
ciphertexts  does  not  depend  on  the  number  of  keys  generated  (because  this  number  if  nowhere  provided  as 
input  in  the  syntax  of  the  scheme).  This  conclusion  directly  contradicts  the  recent  impossibility  result  of 
Agrawal  et  al.  [AGVW12]:  they  show  that  any  functional  encryption  scheme  that  can  securely  provide  q 
keys  must  have  the  size  of  the  ciphertexts  grow  in  q\  therefore,  a  reusable  circuit-private  public-key  garbling 
scheme  is  unachievable. 
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5  Token-Based  Obfuscation 


Following  the  discussion  of  obfuscation  in  Sec.  1.1.2,  the  puipose  of  this  section  is  to  cast  reusable  garbled 
circuits  in  the  form  of  obfuscation  and  to  show  that  this  provides  a  new  model  for  obfuscation,  namely 
token-based  obfuscation. 

Reusable  garbled  circuits  come  close  to  obfuscation:  a  reusable  garbled  circuit  hides  the  circuit  while 
permitting  circuit  evaluation  on  an  arbitrary  number  of  inputs.  While  they  come  close,  reusable  garbled 
circuits  do  not  provide  obfuscation,  because  the  encoding  of  each  input  requires  knowledge  of  the  secret 
key:  namely,  to  run  an  obfuscated  program  on  an  input,  one  needs  to  obtain  a  token  for  the  input  from  the 
obfuscator.  This  requirement  of  our  scheme  is  in  fact  necessary:  as  argued  in  the  tightness  discussion  in 
Sec.  4,  a  scheme  in  which  one  can  publicly  encode  inputs  is  impossible  because  it  falls  directly  onto  known 
impossibility  results  for  obfuscation. 

Therefore,  we  propose  a  new  token-based  model  for  obfuscation.  The  idea  is  for  a  program  vendor  to 
obfuscate  his  program  and  provide  tokens  representing  rights  to  run  this  program  on  specific  inputs.  For 
example,  consider  the  case  when  some  researchers  want  to  compute  statistics  on  a  database  with  sensitive 
information.  The  program  to  be  obfuscated  consists  of  the  database  service  program  with  the  secret  database 
hardcoded  in  it,  C/db-  When  researchers  want  to  compute  statistics  x,  they  request  a  token  for  x  from  the 
database  owner.  Using  the  obfuscated  program  and  the  token,  the  researchers  can  compute  Udb(x),  the 
statistics  result  by  themselves  without  having  to  contact  the  owner  again.  It  is  crucial  that  the  time  to  compute 
the  token  for  x  is  much  smaller  than  the  time  to  compute  C/db  on  x,  so  that  the  owner  does  not  have  to  do  a 
lot  of  work.  We  also  note,  that  in  certain  cases,  one  has  to  anyways  request  such  a  token  from  the  owner  for 
other  reasons:  for  example,  the  database  owner  can  check  that  the  statistics  the  researchers  want  to  compute 
is  not  too  revealing  and  grant  a  token  only  if  this  is  the  case. 

Let  us  compare  the  token-based  obfuscation  model  with  the  obfuscation  model  resulting  from  using  FHE. 
With  FHE,  the  obfuscation  of  a  program  is  the  FHE  encryption  of  the  program.  When  the  client  wants  to  feed 
an  input  to  the  obfuscated  program,  the  client  can  encrypt  this  input  by  herself  using  the  FHE  public -key  and 
does  not  need  to  obtain  a  token  from  the  obfuscator.  To  run  the  program,  the  client  performs  FHE  evaluation 
of  a  universal  circuit  on  the  encrypted  program  and  the  encrypted  input,  thus  obtaining  an  encrypted  result. 
The  client  cannot  decrypt  the  result  by  herself  and  thus  needs  to  contact  the  obfuscator  for  this  decryption  - 
this  process  consists  of  two  messages.  In  our  token-based  model,  if  the  obfuscator  knows  a  priori  the  inputs 
for  which  to  send  tokens  to  the  client  (e.g.,  when  distributing  permissions  for  certain  computations),  the 
whole  protocol  consists  of  one  message  only  because  the  client  can  compute  and  decrypt  the  result  by  herself. 
Another  difference  between  these  two  obfuscation  models  is  that,  in  the  token-based  model,  the  obfuscator 
needs  to  be  available  only  at  the  beginning  of  the  computation  (when  giving  out  tokens),  whereas  in  the  FHE 
model,  the  obfuscator  has  to  be  online  at  the  end  of  the  computation  to  decrypt  the  result. 

5.1  Definition 

We  now  provide  the  definition  for  token-based  obfuscation  and  the  desired  simulation  security.  These 
definitions  are  very  similar  to  the  definitions  for  reusable  garbled  circuits  (Def.  2.6  and  Def.  4.1):  the  syntax, 
correctness  and  efficiency  are  the  same  except  that  garbling  schemes  have  an  additional  Eva  I  algorithm. 

Definition  5.1  (Token  -based  Obfuscation).  A  token-based  obfuscation  scheme  for  the  class  of  circuits 
wdh  Cn  :  {0,  l}n  — >  {0, 1}  is  a  pair  ofp.p.t.  algorithms  (tOB. Obfuscate,  tOB. Token)  such  that 

•  tOB.Obfuscate(lK,  C):  Takes  as  input  the  security  parameter  1 K,  and  a  circuit  C  <E  Cn,  and  outputs  a 
secret  key  osk  and  the  obfuscation  O  of  the  circuit  C. 
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•  tOB.Token(osk,  x):  Takes  as  input  the  secret  key  osk  and  some  input  x  G  {0,  l}n,  and  outputs  tk,,. 
Efficiency.  The  running  time  o/tOB.  Token  is  independent  of  the  size  of  C. 

Correctness.  For  all  polynomials  n(-),  for  all  sufficiently  large  security  parameters  k,  ifn  =  n(n),  for  all 
circuits  C  G  Cn,  and  for  all  x  G  {0,  l}n, 

Pr[(osk,  O)  G- tOB.Obfuscate(lK,  C);  tkx  G-  tOB.Token(osk,  x)  :  0(tkx)  =  C(x)\  =  1  —  negl(rc). 

Remark  5.1.  We  could  use  an  alternative  definition  of  token-based  obfuscation  that  separates  the  generation 
of  osk  (in  an  additional  tOB. Setup  algorithm  with  input  the  security  parameter)  from  the  tOB. Obfuscate 
algorithm.  Such  a  formulation  would  force  osk  and  thus  the  token  computation  tOB.Tokenfosk.  x)  to  be 
independen  t  of  the  circuit  obfuscated;  moreover,  C  could  be  chosen  later,  even  after  all  inputs  x  have  been 
encrypted  with  tOB. Token. 

Our  construction  satisfies  this  definition  as  well  because  it  generates  the  secret  key  osk  independent  of  C. 
However,  we  did  not  choose  such  a  formulation  because  we  wanted  to  be  consistent  with  the  definition  of 
obfuscation,  which  does  not  have  a  separate  setup  phase. 

Intuitively,  in  a  secure  token-based  obfuscation  scheme,  an  adversary  does  not  learn  anything  about  the 
circuit  C  other  than  C ix)  and  the  size  of  C. 

Definition  5.2  (Secure  token-based  obfuscation).  Let  tOB  be  a  token-based  obfuscation  scheme  for  a  family 
of  circuits  C  =  {Cn}n  eN-  For  A  =  and  S  =  (S\,  Sf),  pairs  of  p.p.t.  algorithms,  consider  the 

following  two  experiments: 


ExpJSimU" 


1:  (C,  states)  G-  A\(ln) 

2:  (osk,  O)  G-  tOB.Obfuscate(lK,  C) 
3:  a  G-  AfB-Token(osk'-\c,0,  states) 
4:  Output  a 


1:  (C,  states)  G-  A\(ln) 

2:  (O,  states)  £i(lK',  llc'l) 

3:  a  <r-  J4°s('’C)[[states]]  (c,  O,  states) 
4:  Output  a 


In  the  above,  OS(-,  C) [ [states] ]  is  an  oracle  that  on  input  xfrom  A2,  runs  S2  with  inputs  C(x),  l^l,  and 
the  current  state  of  S,  state^.  S2  responds  with  tk,.  and  a  new  state  state^.  which  OS  will  feed  to  S2  on  the 
next  call.  OS  returns  tk„  to  A2. 

We  say  that  the  token-based  obfuscation  tOB  is  secure  if  there  exists  a  pair  ofp.p.t.  simulators  S  = 
(S'l ,  S'2)  such  that  for  cdl  pairs  ofp.p.t.  adversaries  A  =  (A\,A2),  the  following  two  distributions  are 
computationally  indistinguishable: 


Note  that,  in  this  security  definition,  a  token  tkr  hides  x  as  well  because  S->  never  receives  x.  This  is 
usually  not  required  of  obfuscation,  but  we  achieve  this  property  for  free. 

5.2  Scheme 

The  construction  of  a  token-based  obfuscation  scheme  is  very  similar  to  the  construction  of  reusable 
garbled  circuits,  the  technical  difference  being  minor:  we  need  to  specify  how  to  construct  the  algo¬ 
rithm  tOB. Obfuscate  from  RGb. Garble  and  RGb.Eval.  We  construct  a  token-based  obfuscation  tOB  = 
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(tOB. Obfuscate,  tOB. Token)  as  follows  based  on  a  reusable  garbled  scheme  RGb  =  (RGb. Garble,  RGb.Enc, 
RGb.Eval).  The  token  algorithm  tOB. Token  is  the  same  as  RGb.Enc. 

Obfuscation  tOB.Obfuscate(lK,  C  £  Cn ): 

1.  Let(T,sk)  «—  RGb.Garble(lK,  C). 

2.  Construct  the  circuit  O  (the  obfuscation  of  C)  as  follows.  The  circuit  O  has  T  hardcoded.  It  takes  as 
input  a  token  tkx,  computes  RGb.Eval(T,  tkx),  and  outputs  the  result. 

3.  Output  sk  as  the  secret  key,  and  the  description  of  O  as  the  obfuscation  of  C. 

Since  the  construction  is  essentially  the  same  as  the  one  of  reusable  garbled  circuits  and  the  security  is 
the  same,  the  same  claims  and  proofs  as  for  reusable  garbled  circuits  hold  here,  based  on  Theorem  4.3  and 
Corollary  4.4.  We  state  them  here  for  completeness. 

Claim  5.2.  Assuming  a  reusable  garbling  scheme  for  the  class  of  circuits  C,  there  is  a  token-based  obfuscation 
scheme  for  C. 

Recall  the  class  of  circuits  Cn^(n)  defined  for  Corollary  3.2. 

Corollary  5.3  (The  LWE  Instantiation).  For  every  integer  n  £  N,  polynomial  function  d  =  d(n),  there  is  a 
token-based  obfuscation  scheme  for  the  class  Cn^ny  under  the  following  assumption:  there  is  a  constant 
0  <  e  <  1  such  that  for  every  sufficiently  large  I,  the  approximate  shortest  vector  problem  gapSVP  in  l 
dimensions  is  hard  to  approximate  to  within  a  2°^")  factor  in  time  2°^^  in  the  worst  case. 

Denote  by  universal  token-based  obfuscation  scheme,  a  token-based  obfuscation  scheme  for  the  class  of 
all  polynomial-sized  circuits.  Then, 

Corollary  5.4  (Universal  token-based  obfuscation).  If  there  is  a  universal  fully  secure  single-key  functional 
encryption  scheme,  there  is  a  universal  token-based  obfuscation  scheme. 

6  Computing  on  Encrypted  Data  in  Input-Specific  Time 

We  initiate  the  study  of  fully  homomorphic  encryption  where  the  runtime  of  the  homomorphic  evaluation  is 
input-specific  rather  than  worst-case  time.  We  show  how  to  use  our  functional  encryption  scheme  to  evaluate 
Turing  machines  on  encrypted  data  in  input-specific  time. 

Let  us  recall  the  setting  of  computation  on  encrypted  data.  A  client  gives  various  encrypted  inputs  and  a 
function  /  to  an  evaluator.  The  evaluator  should  compute  /  on  the  encrypted  inputs  and  return  the  encrypted 
result,  while  learning  nothing  about  the  inputs. 

Fully  homomoiphic  encryption  has  been  the  main  tool  used  in  this  setting.  It  was  first  constructed  in  a 
breakthrough  work  by  Gentry  [Gen09]  and  refined  in  subsequent  work  [DGHV10,  SSlOb,  BVlla,  Vaill, 
BGV12,  GHS12a,  GHS12b].  Since  then,  FHE  has  found  many  great  applications  to  various  problems. 

However,  one  of  the  main  drawbacks  of  FHE  is  that  when  evaluating  a  Turing  machine  (TM)  over 
encrypted  data,  the  running  time  is  at  least  the  worst-case  running  time  of  the  Turing  machine  over  all  inputs. 
The  reason  is  that,  one  needs  to  transform  the  TM  into  a  circuit.  If  f  max  is  the  maximum  running  time  of 
the  TM  on  inputs  of  a  certain  size — namely,  the  running  time  on  the  worst-case  input —  then  the  size  of  the 
resulting  circuit  is  at  least  f  max.  Thus,  even  if  the  TM  runs  in  a  short  time  on  most  of  the  inputs,  but  for  a  very 
long  time  (tmax)  on  only  one  input,  homomorphic  evaluation  will  still  run  in  tmaxfor  all  inputs.  This  property 
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often  results  in  inefficiency  in  practice;  for  example,  consider  a  TM  having  a  loop  that  depends  on  the  input. 
For  specific  inputs,  it  can  loop  for  a  very  long  time,  but  for  most  inputs  it  does  not  loop  at  all. 

As  a  result,  researchers  have  tried  to  find  input-specific  schemes.  A  first  observation  is  that  this  goal  is 
impossible:  input-specific  evaluation  implies  that  the  evaluator  learns  the  runtime  of  the  TM  on  each  input, 
which  violates  CPA-security  of  the  homomorphic  scheme  (Def.  2.5).  Hence,  we  must  relax  the  security 
definition  and  allow  the  evaluator  to  leam  the  runtime  for  each  input,  but  require  that  the  evaluator  learns 
nothing  else  besides  the  running  time.  This  goal  is  not  possible  with  FHE  because  the  evaluator  cannot 
decrypt  any  bit  of  information,  so  it  cannot  tell  whether  the  computation  finished  or  not;  thus,  we  must  look 
for  new  solutions. 

A  second  observation  is  that  the  evaluator  must  no  longer  be  able  to  evaluate  TMs  of  his  choice  on  the 
client’s  data:  if  he  could,  the  evaluator  would  run  TMs  whose  running  times  convey  the  value  of  the  input  x 
(for  example,  the  evaluator  could  run  |x|  TMs,  where  the  i-th  TM  stops  early  if  the  v-th  bit  of  x  is  zero,  and 
otherwise,  it  stops  later;  in  this  way,  the  evaluator  learns  the  exact  value  of  x). 

Based  on  these  observations,  we  can  see  that  functional  encryption  is  the  natural  solution:  it  hides  the 
inputs  to  the  computation,  enables  the  evaluator  to  decrypt  the  running  time,  and  requires  the  evaluator  to 
obtain  a  secret  key  from  the  client  to  evaluate  each  TM. 

Due  to  the  impossibility  result  for  functional  encryption  [AGVW 12]  discussed  in  Sec.  1,  the  client  cannot 
give  keys  for  an  arbitrary  number  of  Turing  machines  to  the  evaluator.  The  best  we  can  hope  to  achieve  is 
for  the  client  to  provide  a  single  key  for  a  function  to  the  evaluator  (or  equivalently,  for  a  constant  number  q 
of  keys  if  the  client  runs  the  scheme  q  times).  Fortunately,  the  single-key  restriction  does  not  mean  that  the 
client  can  evaluate  only  one  Turing  machine.  In  fact,  the  client  can  give  a  key  to  the  evaluator  for  a  universal 
Turing  machine  U  that  takes  as  input  a  TM  M  and  a  value  x,  and  outputs  M (x).  Then,  the  client  must  specify 
together  with  each  input  x  the  TM  M  he  wants  to  run  on  x.  Such  a  strategy  is  even  desirable  in  certain  cases: 
the  client  may  not  want  the  evaluator  to  compute  a  TM  on  every  input  the  client  has  provided  and  learn  the 
running  time  on  that  input;  the  client  may  prefer  to  specify  what  inputs  to  run  each  Turing  machine  on. 

Using  our  functional  encryption  scheme,  we  achieve  a  construction  that  enables  computation  in  input- 
specific  time.  We  call  such  a  scheme  Turing  machine  homomorphic  encryption,  or  shortly  TMFHE. 

As  discussed  (Corollary  3.2),  our  functional  encryption  scheme  is  succinct  in  that  the  ciphertexts  grow 
with  the  depth  of  the  circuit  rather  than  the  size  of  the  circuit.  Therefore,  our  input-specific  computation 
is  useful  only  for  Turing  machines  that  can  be  represented  in  circuits  whose  depths  are  smaller  than  the 
running  time  -  because  otherwise  the  client  would  have  to  do  a  lot  of  work  and  could  instead  just  run  the 
Turing  machine  on  its  own.  Moreover,  for  these  machines,  we  cannot  use  the  Pippenger-Fischer  [PF79] 
transformation  because  the  resulting  circuits  have  depth  roughly  equal  to  the  running  time  of  the  transformed 
machines.  Specifically,  our  input- specific  scheme  makes  sense  for  the  following  class  of  circuits,  with  a 
bound  on  their  depth. 

Definition  6.1  (d-depth-bounded  class  of  Turing  machines).  A  finite  class  of  Turing  machines  A4  is  d-depth- 
bounded  for  a  function  d,  if  there  exists  a  class  of  efficiently  computable  transformations  {7^}neN  with 
Tn  '■  N  — >  { all  circuits}  such  that  Tn{t)  =  CU)t  where  Cny  is  a  circuit  as  follows. 

•  On  input  a  Turing  machine  M  E  A4  and  a  value  x  E  {0,  1  }n,  Cnj  outputs  M (x)  if  M  on  input  x 
stops  in  t.  steps,  or  _L  otherwise. 

•  The  depth  ofCnj  is  at  most  d{n)  and  the  size  ofC1l}t  is  0(f). 

Remark  6.1.  Notice  that,  if  we  remove  the  depth  constraint  (but  still  keep  the  circuit  size  constraint),  any 
finite  class  of  Turing  machines  satisfies  the  definition  because  of  the  Pippenger-Fischer  transformation 
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applied  to  the  universal  circuit  of  this  class  of  Turing  machines.  Specifically,  let  Ut  be  a  universal  Turing 
machine  that  runs  any  given  machine  M  E  A4  for  t  steps.  This  machine  has  0(t)  running  time  and  when 
applying  the  Pippenger-Fischer  transformation  [PF79]  to  it,  we  get  a  circuit  of  size  0(t\ogt). 

We  next  present  our  construction.  For  completeness,  we  provide  formal  definitions  and  proofs  of  our 
theorems  and  claims  in  Appendix  C.  Our  security  notion  (Def.  C.2  in  the  appendix)  is  called  runtime- 
CPA  security,  which  straightforwardly  captures  the  fact  that  the  evaluator  should  learn  nothing  about  the 
computation  besides  the  running  time. 

6.1  Construction 

A  TMFHE  scheme  consists  of  four  algorithms:  TMFHE  =  (TMFHE.KeyGen,  TMFHE.Enc,  TMFHE.Eval, 
TMFHE.Dec).  The  client  runs  TMFHE.KeyGen  once  in  an  offline  preprocessing  stage.  Later,  in  the  online 
phase,  the  client  sends  a  potentially  large  number  of  encrypted  inputs  to  the  evaluator.  For  every  input  (x,M) 
consisting  of  a  value  x  and  a  Turing  machine  M,  the  client  runs  TMFHE.Enc  to  encrypt  the  input  and  then 
TMFHE.Dec  to  decrypt  the  result  from  the  evaluator.  The  evaluator  runs  TMFHE.Eval  to  evaluate  M  on  x 
homomorphically  in  input-specific  running  time.  The  work  of  the  client  in  the  offline  phase  is  proportional  to 
f  max>  the  worst-case  input  running  time.  Flowever,  for  each  input  in  the  online  phase,  the  client  does  little 
work  (independent  of  the  running  time  of  M )  and  thus  the  cost  is  amortized. 

We  first  provide  intuition  for  our  construction.  As  mentioned,  we  use  our  functional  encryption  scheme 
FE  to  enable  the  evaluator  to  determine  at  various  intermediary  points  whether  the  computation  finished  or 
not.  For  each  intermediary  step,  the  client  has  to  provide  the  evaluator  with  a  function  secret  key  fsk  (using 
the  FE  scheme)  for  a  function  that  returns  a  bit  indicating  whether  the  computation  has  finished.  However,  if 
the  client  provides  a  key  for  every  computation  step,  the  offline  work  of  the  client  becomes  quadratic  in  tmax, 
which  can  be  very  large  in  certain  cases.  The  idea  is  to  choose  intermediary  points  spaced  at  exponentially 
increasing  intervals.  In  this  way,  the  client  generates  only  a  logarithmic  number  of  keys,  while  the  evaluator 
runs  in  roughly  twice  the  time  of  M  on  an  input. 

As  part  of  TMFHE.Enc,  besides  providing  the  FE  encryptions  for  a  pair  (M,  x),  the  client  also  provides 
a  homomorphic  encryption  for  x  and  the  machine  M,  so  that  once  the  evaluator  learns  the  running  time  of  M 
on  x,  it  can  then  perform  the  homomorphic  computation  on  x  in  that  running  time. 

We  present  our  construction  for  a  class  of  d-dcpth-bounded  Turing  machines.  By  Def.  6.1,  such  a  class  has 
a  transformation  Tn  that  enables  transforming  a  universal  TM  into  a  circuit.  Let  FHE  be  any  homomoiphic 
encryption  scheme  (as  defined  in  Sec.  2.3)  for  circuits  of  depth  d  and  let  FE  be  any  functional  encryption 
scheme  for  circuits  of  depth  d.  For  simplicity,  we  present  our  scheme  for  Turing  machines  that  output  only 
one  bit;  we  discuss  in  Sec.  6.3  multiple  output  bits  and  how  to  avoid  having  the  output  size  be  worst  case. 
Key  generation  TMFHE. KeyGen(lK,  ln,  ltmax)  takes  as  input  the  security  parameter  k,  an  input  size  to,  and 
a  maximum  time  bound  fmax. 

1.  Let  r  =  |~logtmax~|.  For  each  i  E  [r],  let  Di  =  7^(2*)  be  the  circuit  that  outputs  M(x)  if  M  finishes  in 
2*  steps  on  input  x  or  _L  otherwise.  Construct  circuit  C,  based  on  Dp  the  circuit  Ci,  on  input  a  TM  M 
and  a  value  x,  outputs  1  if  M  finished  in  2*  steps  when  running  on  input  x  or  0  otherwise;  C,  is  the 
same  as  circuit  I),  but  it  just  outputs  whether  the  first  output  bit  of  Ci  is  non-_L  or  _L,  respectively. 

2.  Generate  functional  encryption  secret  keys  for  Cj , ...  ,CT  by  running: 

(fmpki5  fmskj)  •(—  FE.Setup(fK)  and  fsk, .  •<—  FE.KeyGen(fmskj,  Ci)  fori  e[t]. 
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3.  Generate  FHE  keys  (hsk,hpk)  FHE.KeyGen(lK). 


4.  Output  the  tuple  PK  :=  (fmpk^  . . . ,  fmpkT,  hpk)  as  the  public  key,  EVK  :=  (fski, . . . ,  fskr,  hpk)  as 
the  evaluation  key,  and  SK  :=  hsk  as  the  secret  key. 

Encryption  TMFEIE.Enc(PK,  M,  x ):  takes  as  input  the  public  key  PK  of  the  form  ({fmpkj}*,  hpk),  a  TM 
M  and  a  value  sofn  bits  long. 

1.  Let  x  <—  (FFIE.Enc(hpk,  x\ ), . . . ,  FHE.Enc(hpk,  xn)),  where  Xi  is  the  i-th  bit  of  x.  Similarly,  let  M 
<—  (FFIE.Enc(hpk,  Mi),  ....  FHE.Enc(hpk,  Mn)),  which  is  the  homomorphic  encryption  of  M  (the 
string  description  of  TM  M)  bit  by  bit. 

2.  Compute  ct  <—  FE.Enc(fmpkj,  (M,x))  fori  6  [r], 

3.  Output  the  ciphertext  c  =  (“enc”,  x ,  M,  ci, . . . ,  cT). 

Evaluation  TMFFIE.Eval(EVK,  c):  takes  as  input  an  evaluation  key  EVK  of  the  form  ({fskj}j,  hpk)  and  a 
ciphertext  c  of  the  form  (“enc”,  x,  M .  c\, . . . ,  cT). 

1.  Start  with  i  =  1.  Repeat  the  following: 

(a)  b  <—  FE.Dec(fskj,  a). 

(b)  If  b  =  1,  (computation  finished  and  we  can  now  evaluate  homomorphically  on  x) 

i.  Compute  Di,  the  circuit  that  evaluates  a  Turing  machine  in  M.  for  2*  steps,  using  '7),  (2'  ). 

ii.  Evaluate  and  output  (“eval”,  FFIE.Eval(hpk,  Dj,  (M,x))). 

(c)  Else  (6  =  0),  proceed  to  the  next  i. 

Decryption  TMFFIE.Dec(SK,  c):  takes  as  input  a  secret  key  SK  =  hsk  and  a  ciphertext  c  of  the  form 

(“enc”,  x,  M,  c\, . . . ,  cT)  or  (“eval”,  c). 

1.  If  the  ciphertext  is  of  type  “enc”,  compute  and  output  FHE.Dec(hsk,  x). 

2.  Else  (the  ciphertext  is  of  type  “eval”),  compute  and  output  FFIE.Dec(hsk,  c). 

6.2  Results 

We  now  state  our  results. 

Theorem  6.2.  For  any  class  of  d-depth-bounded  Turing  machines  that  take  n  bits  of  input  and  produce  one 
bit  of  ou  tpu  t,  there  is  a  Turing  machine  homomorphic  encryption  scheme,  assuming  the  existence  of  a  fully 
secure  functional  encryption  scheme  FE  for  any  class  of  circuits  of  depth  d,  and  an  d-leveled  homomorphic 
encryption  scheme  FFH  E,  where: 

•  The  online  work  of  the  client  is 


(n  +  log  t 

max  )  •  poly(fc,  d(n)) 
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•  The  online  work  of  the  server  in  evaluating  M  on  an  encryption  of  x  is 

poly(n,  d(ri),  time(M,  x)), 
where  time(M,  x)  is  the  runtime  of  M  on  x. 

This  theorem  shows  that  our  TMFHE  scheme  comes  as  a  reduction  from  any  functional  encryption 
scheme.  The  proof  of  this  theorem  is  in  Appendix  C.  We  can  see  that  the  work  of  the  client  is  indeed  smaller 
than  computing  the  circuit  especially  if  the  polynomial  d  is  smaller  than  the  running  time.  Moreover,  we  can 
also  see  that  the  server  runs  in  input-specific  time:  the  evaluation  time  depends  on  the  actual  running  time 
and  the  depth  of  the  circuit. 

When  instantiating  our  TMFHE  construction  with  our  functional  encryption  FE  construction  from  Sec.  3 
and  using  Corollary  3.2,  we  obtain  a  scheme  under  an  LWE  assumption. 

Corollary  6.3  (LWE  Instantiation).  For  every  integer  n  £  N  and  polynomial  function  d  =  d(n),  there 
is  a  Turing  machine  homomorphic  encryption  scheme  for  any  class  of  d-depth-bounded  Turing  machines , 
under  the  following  assumption:  there  is  a  constant  0  <  e  <  1  such  that  for  every  sufficiently  large  i,  the 
approximate  shortest  vector  problem  ga  pS  VP  in  i  dimensions  is  hard  to  approximate  to  within  a  2(>i'' !  factor- 
in  time  in  the  worst  case. 

Remark  6.4.  If  the  underlying  FE  scheme  is  selectively  secure  (Def  2.14),  one  can  still  obtain  an  input- 
specific  homomorphic  encryption  scheme,  but  with  selective  security;  namely,  the  scheme  would  achieve  a 
modified  version  of  Def.  C.2  in  Appendix  C  (the  adversary  A  must  choose  x  before  seeing  EVK  and  PK). 
The  scheme  would  then  be  secure  under  the  following  assumption:  there  is  a  constant  0  <  e  <  1  such  that 
for  every  sufficiently  large  t,  the  approximate  shortest  vector  problem  gapSVP  in  I  dimensions  is  hard  to 
approximate  to  within  a  2°^  factor  in  the  worst  case  by  polynomial-time  adversaries. 

Let  us  discuss  what  kind  of  Turing  machines  classes  are  d-depth-bounded. 

Fact  6.5.  The  class  of  Turing  machines  running  in  log -space  is  log2 -depth-bounded. 

This  fact  follows  directly  from  the  known  relation  that  the  LOGSPACE  complexity  class  is  in  NC2. 

In  general,  the  following  pattern  of  computation  would  fit  in  d-depth-boundedness  and  would  benefit 
from  input-specific  evaluation.  Consider  a  computation  that  on  different  types  of  inputs,  it  performs  different 
kinds  of  computation;  all  these  computations  are  of  the  same  (shallow)  depth,  but  the  computation  can  be 
much  larger  in  one  case. 

A  few  remarks  are  in  order: 

Remark  6.6.  Denote  by  universal  TMFHE  scheme  to  be  a  scheme  for  any  finite  class  of  Turing  machines. 
Based  on  Remark  6.1,  we  can  see  that  if  there  is  a  universal  succinct  functional  encryption  scheme  and  a  fully 
homomorphic  scheme,  there  is  a  universal  TMFHE  scheme  with  online  client  and  serx’er  work  independent  of 
depth: 

•  The  online  work  of  the  client  becomes 

(n  +  log  t  max  )  •  poly(K) 

•  The  online  work  of  the  server  in  evaluating  M  on  an  encryption  of  x  becomes 

poly(n,  tim  e(M,  a;)), 

where  time(M,  x)  is  the  runtime  of  M  on  x. 
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6.3  Input-Dependent  Output  Size 

The  construction  above  considered  Turing  machines  that  output  only  one  bit.  To  allow  TMs  that  output  more 
than  one  bit,  one  can  simply  use  the  standard  procedure  of  running  one  instance  of  the  protocol  for  each  bit 
of  the  output.  However,  as  with  running  time,  this  would  result  in  repeating  the  protocol  as  many  times  as  the 
worst-case  output  size  for  every  input.  Certain  inputs  can  result  in  small  outputs  while  others  can  result  in 
large  outputs,  so  it  is  desirable  to  evaluate  in  input-specific  output  size. 

We  can  use  the  same  approach  as  above  to  obtain  input-specific  output  size:  The  client  provides  keys  to 
the  evaluator  to  decrypt  the  size  of  the  output.  Then,  the  evaluator  can  simply  use  homomorphic  evaluation 
on  a  circuit  whose  output  size  is  the  determined  one. 
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A  Detailed  Background  on  Learning  With  Errors  (LWE) 

The  LWE  problem  was  introduced  by  Regev  [Reg05]  as  a  generalization  of  “learning  parity  with 
noise”  [BFKL93,  BKW03,  Ale03],  Regev  showed  that  solving  the  LWE  problem  on  the  average  is  as 
hard  as  (quantumly)  solving  several  standard  lattice  problems  in  the  worst  case.  This  result  bolstered  our 
confidence  in  the  LWE  assumption  and  generated  a  large  body  of  work  building  cryptographic  schemes  under 
the  assumption,  culminating  in  the  construction  of  a  fully  homomorphic  encryption  scheme  [BV1  la]. 

For  positive  integers  l  and  q  >  2,  a  vector  s  <E  lfq,  and  a  probability  distribution  y  on  Z9,  let  Asx  be 

the  distribution  obtained  by  choosing  a  vector  a  4—  Ifq  uniformly  at  random  and  a  noise  term  e  t—  y,  and 

outputting  (a,  (a,  s)  +  e)  E  Zq  x  7Lq.  A  formal  definition  follows. 

Definition  A.l  (LWE).  For  an  integer  q  =  q(£)  and  an  error  distribution  y  =  y(f)  over  Z9,  the  learning 
with  errors  problem  LWEpm  f;  :v  is  defined  as  follows:  Given  m  independent  samples  from  AStX  (for  some 
s  E  Z q),  output  s  with  noticeable  probability. 

The  (average-case)  decision  variant  of  the  LWE  problem,  denoted  d \\NEfmqx,  is  to  distinguish  (with 
non-negligible  advantage)  m  samples  chosen  according  to  ASiX  (for  uniformly  random  s  t—  Iq),  from  m 
samples  chosen  according  to  the  uniform  distribution  over  lfq  x  Zg. 

We  denote  by  LWE/^^  (resp.  dLWE^qiX)  the  variant  where  the  adversary  gets  oracle  access  to  AStX,  and 
is  not  a  priori  bounded  in  the  number  of  samples. 

For  cryptographic  applications  we  are  primarily  interested  in  the  average  case  decision  problem  dLWE, 
where  s  •<—  If  .  We  will  also  be  interested  in  assumptions  of  the  form:  no  /-time  adversary  can  solve  dLWE 
with  non-negligible  advantage,  which  we  will  call  the  /-hardness  of  dLWE. 

There  are  known  quantum  [Reg05]  and  classical  [Pei09]  reductions  between  dLWE^m>q)X  and 
approximating  short  vector  problems  in  lattices.  Specifically,  these  reductions  take  y  to  be  (discretized 
versions  of)  the  Gaussian  distribution,  which  is  //-bounded  for  an  appropriate  B.  Since  the  exact  distribution 
y  does  not  matter  for  our  results,  we  state  a  corollary  of  the  results  of  [Reg05,  Pei09]  in  terms  of  the  bound 
on  the  distribution. 

Let  B  =  B(£)  E  N.  A  family  of  distributions  y  =  {yr}reP:  is  called  //-bounded  if  the  support  of  xt  is  (a 
subset  of)  . . . ,  B(l)\.  Then: 
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Lemma  A.l  ([Reg05,  Pei09]).  Let  q  =  q(L)  G  N  be  a  product  of  co-prime  numbers  q  =  \\  q,  such  that  for 
all  i,  qi  =  poly(f),  and  let  B  >  (.  Then  there  exists  an  efficiently  sampleable  B-bounded  distribution  x  such 
that  if  there  is  an  efficient  algorithm  that  solves  the  (average-case)  d  l\NE(qx  problem.  Then: 

•  There  is  a  quantum  algorithm  that  solves  SIVP  with  approximation  factor  0{tsft  ■  q/B )  and  gapSVP 
with  approximation  factor  0{fLs/l  ■  q/B )  on  any  (.-dimensional  lattice,  and  runs  in  time  poly(f'). 

•  There  is  a  classical  algorithm  that  solves  the  (,-to-y  decisional  shortest  vector  problem  gapSVP^ 

where  7  =  ■  q/B),  and  C,  =  0(q\f(),  on  any  (-dimensional  lattice,  and  runs  in  time  poly(^). 

We  remark  that  this  connection  is  time -preserving,  in  the  sense  that  given  an  LWE  algorithm  that  runs  in 
time  t,  these  reductions  produce  algorithms  to  solve  lattice  problems  that  run  in  time  poly(f). 

We  refer  the  reader  to  [Reg05,  Pei09]  for  the  formal  definition  of  these  lattice  problems,  as  they  have 
no  direct  connection  to  this  work.  We  only  note  here  that  the  best  known  algorithms  for  these  problems  run 
in  time  nearly  exponential  in  the  dimension  (  [AKS01,  MV  10].  More  generally,  the  best  algorithms  that 
approximate  these  problems  to  within  a  factor  of  2k  run  in  time  2°^lk\  Specifically,  given  the  current  state 
of  the  art  on  lattice  algorithms,  the  LWE^giX  assumption  is  quite  plausible  for  a  poly(f)-bounded  distribution 
X  and  q  as  large  as  2r  (for  any  constant  0  <  e  <  1). 

Given  this  state  of  affairs,  we  will  abuse  notation  slightly  and  conflate  the  LWE  dimension  (  with  the 
security  parameter  k. 

B  Construction  of  Two-Outcome  Attribute-Based  Encryption 

Let  us  construct  a  two-outcome  attribute-based  encryption  scheme,  denoted  ABE2,  from  an  ABE  scheme, 
ABE. 

The  idea  is  to  use  two  ABE  instantiations,  one  encrypting  Mq  and  the  other  M\.  To  make  sure  that  exactly 
one  of  these  messages  gets  revealed  when  a  predicate  is  evaluated,  we  provide  secret  keys  for  the  predicate 
and  the  negation  of  the  predicate  for  the  two  instantiations. 

Setup  ABE2.Setup(lK): 

1.  Run  (fmsko, fmpk0)  -t—  ABE.Setup(lK)  and  (fmski, fmpk-i)  ABE.Setup(lK). 

2.  Let  fmsk  :=  (fmsko,  fmski)  and  fmpk  :=  (fmpk0,  fmpk!).  Output  fmsk  and  fmpk. 

Key  generation  ABE2.KeyGen(fmsk,  P ):  Let  fsko  ABE.KeyGen(fmsko,  P)  and 

fski  •{—  ABE.KeyGen(fmski,  P),  where  P  is  the  negation  of  P,  namely  P(x)  =  1  —  P(x).  Output  fskp  = 

(fsk0,fski). 

Encryption  ABE2.Enc(fmpk,  x,  Mo,  Mi):  Let  C*o  <—  ABE.Enc(fmpk0,  x,  Mf)  and 
Ci  -t—  ABE.Enc(fmpk!,  x,  Mi).  Output  C  =  (Co,  Ci). 

Decryption  ABE2-Dec(fskp,  C): 

1.  Parse  fskp  =  (fsko,  fski)  and  C  =  (Co,  Cl). 

2.  Run  Mo  ABE.Dec(fsko,  Co)  and  if  Mo  f  _L,  output  Mo- 

3.  Run  Mi  <—  ABE.Dec(fski,  Ci)  and  if  M\  f  _L,  output  Mi. 
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We  next  prove  that  this  construction  yields  a  secure  two-outcome  ABE  scheme.  Note  that  our  construction 
requires  an  ABE  scheme  where  the  predicate  class  Vn  is  closed  under  negation:  for  every  predicate  P  £  Vn, 
the  predicate  P  is  also  included  in  Vn. 

Proof  of  Claim  2.5.  Correctness  of  ABE2  is  straightforward:  If  P(x)  =  0,  Co  will  decrypt  to  Mo  by  the 
correctness  of  ABE,  and  mutatis  mutandis  for  P(x)  =  1. 

We  prove  security  by  contradiction.  Assume  there  exists  p.p.t.  A  =  (Ai,  A2,  A3)  that  breaks  the  security 
of  our  ABE2  construction:  Def.  2.11;  namely,  there  exists  a  polynomial  p  such  that,  for  infinitely  many  k, 

Pr[ExPABE2A(lK)  =  !]  >  V2  +  1  /?(«)•  (6) 

We  construct  a  p.p.t.  adversary  R  =  (If.  II2  ,  Rf)  that  breaks  the  security  of  ABE,  Def.  2.9. 

The  adversary  R.\  receives  as  input  fmpk*  and  outputs  a  predicate  P*  as  follows.  The  adversary  A\ 
expects  two  public  keys.  R,\  uses  fmpk*  as  one  of  these  public  keys  and  generates  the  other  public  key  freshly 
(fmsk,  fmpk)  4—  ABE.KeyGen(lK).  The  order  in  which  R\  provides  these  keys  to  Ai  depends  on  the  value 
of  P(x)  not  known  at  this  step.  If  P(x)  will  be  0,  R  will  have  to  give  A  the  ability  to  decrypt  a  ciphertext 
encrypted  with  the  first  key.  If  that  key  is  fmpk*,  R  cannot  accomplish  this  task  because  it  does  not  have  the 
corresponding  secret  key.  Therefore,  R  will  try  to  guess  P(x)  by  flipping  a  random  coin.  Concretely,  If 
runs: 

1.  Guess  P(x)  at  random,  namely  draw  a  random  bit  denoted  guess.  If  guess  is  0: 

(a)  Provide  (fmpk,  fmpk*)  to  Ai. 

(b)  Receive  P  from  A\  and  output  P*  :=  P. 

2.  Else  [guess  is  1]: 

(a)  Provide  (fmpk*,  fmpk)  to  Ai. 

(b)  Receive  P  from  Ai  and  output  P*  :=  P. 

Adversary  R2  receives  as  input  fskp*  and  generates  Mq  ,  M*,  and  x*  as  follows. 

1.  Generate  fskp*  -t—  ABE.KeyGen(fmsk,  P*). 

2.  If  guess  is  0,  provide  (fskp,,  fskp*)  to  A2,  else  (guess  was  1)  provide  (fskp*,  fskp,)  to  A2. 

3.  Receive  (M,  Mo,  M\ ,  x)  from  A2.  Output  Mg  :=  Mq,  M*  :=  M\  and  x*  :=  x. 

Adversary  R$  receives  as  input  c*  and  outputs  a  guess  bit  as  follows: 

1.  Check  that  P(x)  equals  guess.  If  this  is  not  the  case,  namely,  R.\  had  guessed  incoiTectly  the  value  of 
P(x),  output  a  random  bit  and  exit.  Otherwise,  continue. 

2.  Feed  the  following  input  to  A3:  if  guess  =  0,  feed  inputs  (ABE.Enc(fmpk,  (x,  M)),  c*),  else  (guess  = 
1),  feed  inputs  (c*,  ABE.Enc(fmpk,  (x,  M))).  Output  whatever  A3  outputs. 
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R\  guesses  P(x)  correctly  with  a  chance  of  half.  When  Ri  does  not  guess  P(x)  correctly,  R3  outputs  a 
correct  bit  with  chance  1/2  (because  it  outputs  a  random  guess).  When  Ri  guesses  P(x)  correctly,  we  can 
see  that  II  simulates  the  ABE2  game  with  A  correctly.  Therefore,  in  this  case,  whenever  A  guesses  correctly, 
R  also  guesses  correctly.  Using  Eq.  (6),  we  have 

Pr[ExpABEifi(lK)  =  1]  >  1/2  •  1/2  +  l/2(l/2  +  1/2 p(K))  =  1/2  +  l/2p(«),  (7) 

which  provides  the  desired  contradiction.  □ 

C  Homomorphic  Encryption  for  Turing  Machines:  Definitions  and  Proofs 

Let  us  first  define  the  syntax  of  a  Turing  machine  homomorphic  encryption  scheme. 

Definition  C.l.  A  Turing  machine  homomorphic  encryption  scheme  TM  FH  E  /or  a  class  of  Turing  machines 
At  is  a  quadruple  of  p.p.t.  algorithms  (TMFHE.KeyGen,  TMFHE.Enc,  TMFHE.Dec,  TMFHE.Eval)  as 
follows: 

•  TMFHE.KeyGen(lK,  ln,  l,max)  takes  as  input  a  security  parameter  k,  an  input  size  n,  and  a  time 
bound  tmax,  and  outputs  a  public  key  PK,  an  evaluation  key  EVK,  and  a  secret  key  SK. 

•  TMFHE.Enc(PK,  AT,  x )  takes  as  input  the  public  key  PK,  a  Turing  machine  AT  with  one  bit  of  output, 
and  an  input  x  <E  {0.  1 }",  for  some  n,  and  outputs  a  ciphertext  c. 

•  TMFHE.Dec(SK,c)  takes  as  input  the  secret  key  SK  and  a  ciphertext  c,  and  outputs  a  message  x. 

•  TMFHE.Eval(EVK,c)  takes  as  input  the  evaluation  key  EVK,  and  a  ciphertext  c,  and  outputs  a 
ciphertext  d . 

Correctness:  For  every  polynomial  n(-),  for  every  polynomial  tm ax(-),  for  every  sufficiently  large  security 
parameter  k,  for  n  =  n{n),  for  every  Turing  machine  M  E  A4  with  upper  bound  on  running  time  for  inputs 
of  size  n  oftmax(n),  and  for  every  input  x  G  {0,  l}n, 

Pr[(PK,  EVK,  SK)  <—  TMFHE.KeyGen(lK,  ln,  l^W); 
c  <—  TMFHE.Enc(PK,  M,  x); 
c*  TMFHE.Eval(EVK,  M,  c)  : 

TMFFIE.Dec(SK,  c*)  f  M{x)\  =  negl(/c). 

Note  that  the  correctness  property  constraints  f  max  to  be  a  polynomial.  However,  fmax  can  still  be  a  very 
large  polynomial  and  we  would  like  the  server  to  not  have  to  run  in  that  time  for  all  inputs.  (In  fact,  this 
constraint  can  be  eliminated  if  we  use  a  FHE  scheme  and  an  ABE  scheme  that  have  no  correctness  error). 

Definition  C.2  (Runtime-CPA  Security).  Let  TMFHE  be  an  input-specific  homomorphic  encryption  scheme 
for  the  class  of  Turing  machines  AT  For  every  p.p.t.  adversary  A  =  ( A 1 .  Ao)  and  p.p.t.  simulator  S,  consider 
the  following  two  experiments: 
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ExPtMFHE,j4(1,V)  : 


ExPTMFHE,A,S'(lh')  : 


1:  (ltmax,  1",  states)  <-  Ai(1k). 

2:  (PK,  EVK,  SK)  <-  TMFHE.KeyGen(lK,  ln,  ltmax) 

3:  (M,  x,  state^)  •*—  .A2  (states,  PK,  EVK) 

4:  c  «—  TMFHE.Enc(PK,  M,  x)  4:  c  «—  S(M,  ln,  1*,  EVK,  PK)  with  t  =  time(M,  x) 

5:  Output  (state^,  c)  5:  Output  (state^,  c) 


The  scheme  is  said  to  be  runtime-CPA-secure  if  there  exists  a  p.p.t.  simulator  S  such  that  for  all  pairs  of 
p.p.t.  adversaries  A  =  (A\ ,  Af)  for  which  A 2  outputs  M  E  A4  and  x  E  {0,  l}n,  we  have 

{ ExpVmfhe,a(1K))  «  { ExpVd^HE,A5(lK)|  ■ 

l  )  kSN  l  J k€N 

This  definition  essentially  captures  our  security  goal:  one  can  simulate  any  information  learned  from 
the  scheme  by  using  only  the  Turing  machine  M  and  the  running  time  of  M  on  x,  but  without  any  other 
information  about  x. 

In  fact,  we  can  achieve  a  scheme  that  hides  M  as  well  in  a  straightforward  way:  since  our  construction 
passes  M  and  x  as  inputs  to  universal  circuits,  M  could  also  be  hidden  in  the  same  way  as  x  is. 

C.l  Proof 

Proof  of  Theorem  6.2.  We  first  prove  the  correctness  and  efficiency  claims  of  the  theorem  and  then  we  prove 
security. 

If  the  underlying  FE  scheme  is  correct,  then  TMFFIE  is  correct;  whenever  2*  for  some  i  is  an  upper  bound 
on  the  running  time  of  M  on  x,  then  Ct{M.  x)’s  output  is  1.  Based  on  the  correctness  of  the  FHE  scheme 
FHE,  the  evaluation  of  Di  on  M,  x  will  be  correct,  so  FHE. Dec  will  return  M(x). 

Lemma  C.l.  The  online  work  of  the  client  in  the  TMFHE  scheme  is  (logfmax  +  n)  •  polyVc,  d(n)). 

Proof.  The  work  of  the  client  in  the  online  phase  consists  of  running  TMFHE.Enc(PK,  x)  and  TMFHE.Dec(SK,  c). 
The  work  of  the  client  for  TMFHE. Enc(PK, x)  is  npoly (('I(k))  to  compute  the  FHE  ciphertexts  and 
(1  +  [logfmax])  •  poly (d(n),K)  to  compute  the  FE  ciphertexts.  Since  n  depends  polynomially  in  k,  we 
obtain  that  total  cost  is  at  most  (logfmax  +  n)poly(/c,  d(n))  (where  be  incorporated  the  constant  values  in 
the  poly  notation). 

The  runtime  of  TMFHE. Dec(SK,  c)  is  poly(d(«:))  because  FHE.Enc  runs  polynomial  in  k  and  d(n). 
Therefore,  the  total  online  work  of  the  client  is  (logfmax  +  n)poly(d(«:),  d(n),  n).  □ 

Lemma  C.2.  The  work  of  the  evaluator  in  the  TMFHE  scheme  is  poly(n,  d(n),  time)  A/,  x)). 

Proof.  The  work  of  the  evaluator  consists  of  running  TMFHE.  Eva  I  (EVK,  M,  c).  This  depends  on  the  number 
of  times  the  loop  in  TMFHE.  Eva  I  is  repeated  and  the  cost  within  each  loop.  Let  us  evaluate  the  cost  at  the 
i-th  repetition  of  the  loop.  Let  t *  =  2*. 

By  the  properties  of  the  transformation  Tn,  the  size  of  Ct  is  at  most  f,  poly  log  tr.  The  cost  of  evaluating 
FE.Dec(fsk;,  Cj)  is  therefore  poly(n,  d(n),  fjpolylog  f*). 
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If  t  is  the  runtime  of  M  on  x,  the  index  i  at  which  the  loop  will  halt  (because  the  evaluator  obtained  a 
value  the  bit  b  being  one)  is  at  most  1  +  [log  t\ .  Therefore,  the  loop  will  repeat  at  most  1  +  [log  t]  times. 

1+  pog  1 1 

Runtime  of  TMFHE.Eval(EVK,  c)  =  ^  poly (n,  d(n),  ti  polylog  tf) 

2—1 

<  (1+  [log t])poly(n,d{n),t  polylog  t) 

<  poly(n,  d(n),t  polylog  t)  =  poly(n,  d(n),t), 

where  the  last  equality  comes  from  adjusting  the  implicit  polynomial  in  poly.  Note  that  even  though  EVK 
consists  of  logfmax  such  fskj  keys,  TMFHE.Eval  does  not  have  to  read  all  of  EVK.  □ 

Finally,  we  prove  security  of  the  scheme. 

Lemma  C.3.  The  TMFFIE  protocol  is  runtime-CPA-secure. 

Proof.  To  prove  that  our  TMFFIE  construction  is  secure,  we  provide  a  simulator  S,  as  in  Def.  C.2.  The 
simulator  S  invokes  the  simulator  of  the  functional  encryption  scheme,  as  in  Def.  2.13,  which  we  denote 
SimpE-  The  simulator  S  receives  inputs  M,  ln,  lt,  EVK,  and  PK,  and  proceeds  as  follows: 

1.  Compute  0”  <—  (FHE.Enc(hpk,  0), . . . ,  FHE.Enc(hpk,  0))  (n  times). 

2.  For  each  i  e  [r],  compute  the  circuits  =  Tn(2l)  and  then  C,  as  before;  we  remind  the  reader  that 
Ci,  on  input  a  TM  M  and  a  value  x,  outputs  1  if  M  finished  in  2*  steps  when  running  on  input  x  or  0 
otherwise. 

3.  For  each  i  such  that  2*  <  t: 

(a)  Call  the  simulator  SimpE  to  simulate  a  computation  result  of  0  because  M  could  not  have  finished 
its  computation  at  step  i.  Specifically,  compute  c*  SimFElfmpk^,  fskio  Ci,  0,  ln+lMl). 

4.  For  each  i  such  that  2l  >  t: 

(a)  Call  the  simulator  SimpE  to  simulate  an  answer  of  1  because  M  finished  computation  on  the 
input  (unknown  to  S).  Thus,  compute  ct  -t—  SiniFECfmpkj,  fskj,  Ci,  l,ln+lMl). 

5.  Output  c  =  (6,  ci, ... ,  cT). 

To  prove  that  S  satisfies  Def.  C.2,  we  use  three  hybrids: 

Hybrid  0:  The  ideal  experiment  with  simulator  S. 

Hybrid  1  :  The  same  as  Hybrid  0  but  0n  gets  replaced  withx  =  (FHE.Enc(hpk,  x\), . . . ,  FHE.Enc(hpk,  xn)). 
Hybrid  2  :  The  real  experiment. 

It  is  easy  to  see  that  the  outcome  of  Hybrid  0  and  the  outcome  of  Hybrid  1  are  computationally 
indistinguishable  because  FHE  is  semantically  secure:  the  encryptions  of  0n  in  Hybrid  0  and  the  encryption 
of  x  in  Hybrid  1  are  both  generated  with  fresh  randomness,  and  the  secret  key  hsk  (or  any  function  of  hsk 
other  than  a  fresh  encryption)  is  never  released  to  any  adversary. 

Now  let  us  look  at  Hybrid  1  and  Hybrid  2.  These  are  computationally  indistinguishable  based  on  a 
standard  hybrid  argument  invoking  the  security  of  SimpE  as  follows. 
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Multi-Input  Functional  Encryption 


Shafi  Goldwasser*  Vipul  Goyal'  Abhishek  Jain*  Amit  Sahau 


Abstract 

We  introduce  the  problem  of  Multi-Input  Functional  Encryption,  where  a  secret  key  SK f 
can  correspond  to  an  n-ary  function  /  that  takes  multiple  ciphertexts  as  input.  Multi-input 
functional  encryption  is  a  general  tool  for  computing  on  encrypting  data  which  allows  for  mining 
aggregate  information  from  several  different  data  sources  (rather  than  just  a  single  source  as  in 
single  input  functional  encryption).  We  show  wide  applications  of  this  primitive  to  running  SQL 
queries  over  encrypted  database,  non-interactive  differentially  private  data  release,  delegation 
of  computation,  etc. 

We  formulate  both  indistinguishability-based  and  simulation-based  definitions  of  security 
for  this  notion,  and  show  close  connections  with  indistinguishability  and  virtual  black-box  def¬ 
initions  of  obfuscation.  Assuming  indistinguishability  obfuscation  for  circuits,  we  present  con¬ 
structions  achieving  indistinguishability  security  for  a  large  class  of  settings.  We  show  how  to 
modify  this  construction  to  achieve  simulation-based  security  as  well,  in  those  settings  where 
simulation  security  is  possible.  Assuming  differing-inputs  obfuscation  [Barak  et  al.,  FOCS’Ol], 
we  also  provide  a  construction  with  similar  security  guarantees  as  above,  but  where  the  keys 
and  ciphertexts  are  compact. 
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The  simulator  SimpE  is  called  r  times.  Let  c?-  be  the  ciphertext  output  by  the  simulator  for  the  i-th 
invocation  in  Hybrid  1 ,  and  let  c,  be  the  ciphertext  output  in  Hybrid  2  on  the  v-th  invocation.  It  is  enough 
to  prove  that  the  outcome  of  these  two  experiments  consisting  of  stated  and  only  one  of  the  ciphertexts 
(e.g.,  cj' j  or  Cj)  are  computationally  indistinguishable.  The  reason  is  that  one  can  employ  a  standard  hybrid 
argument  consisting  of  r  +  1  sub-hybrids,  the  0-th  sub-hybrid  being  Hybrid  1  and  the  r-th  sub-hybrid  being 
Hybrid  2  and  any  intermediary  sub-hybrid  i  has  the  first  i  ciphertexts  as  in  Hybrid  2  and  the  rest  as  in  Hybrid 
1.  Such  an  argument  is  possible  because  t  is  polynomial  in  the  security  parameter  and  each  ciphertext  is 
encrypted  with  independently  generated  public  keys. 

Therefore,  all  we  need  to  argue  is  that  the  outcome  of  Hybrid  1  and  Hybrid  2  consisting  of  state^  and 
only  ( a  respectively)  are  computationally  indistinguishable.  This  follows  directly  because  SimpE  satisfies 

the  FULL-SI M-secure  functional  encryption  definition,  Def.  2.13.  □ 

The  three  lemmas  above  complete  the  proof  of  the  theorem.  Q 
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1  Introduction 


Traditionally,  encryption  has  been  used  to  secure  a  communication  channel  between  a  unique 
sender-receiver  pair.  In  recent  years,  however,  our  networked  world  has  opened  up  a  large 
number  of  new  usage  scenarios  for  encryption.  For  example,  a  single  piece  of  encrypted  data, 
perhaps  stored  in  an  untrusted  cloud,  may  need  to  be  used  in  different  ways  by  different  users. 
To  address  this  issue,  the  notion  of  functional  encryption  (FE)  was  developed  in  a  sequence  of 
works  |SW05l  IGPSW061 IBW071 IKSW081  lLQS+10l  IBSWlll  IQ’NlOj.  In  functional  encryption, 
the  owner  of  the  master  secret  key  MSK  can  create  a  secret  key  SK/  for  any  function  /  from  a 
family  T .  Given  any  ciphertext  CT  with  underlying  plaintext  x,  using  SK f  a  user  can  efficiently 
compute  /( x).  The  security  of  FE  requires  that  the  adversary  “does  not  learn  anything”  about  x, 
other  than  the  computation  result  f(x). 

How  to  define  “does  not  learn  anything  about”  a;  is  a  fascinating  question  which  has  been 
addressed  by  a  number  of  papers,  with  general  formal  definitions  first  appearing  in  jBSWlll 
IQ’NIO].  The  definitions  range  from  requiring  a  strict  simulation  of  the  view  of  the  adversary, 
which  enlarges  the  range  of  applications,  but  has  been  shown  to  either  necessitate  a  secret  key 
whose  size  grows  with  the  number  of  ciphertexts  that  will  ever  be  released  (BSWlll  1BQ13| 
(or  a  ciphertext  whose  size  grows  with  the  number  of  functions  for  which  secret  keys  will  ever 
be  released  [AGVWI31  ICIJ~*~  13] ) .  to  an  indistinguishability  of  ciphertexts  requirement  which 
supports  the  release  of  an  unbounded  number  of  function  keys  and  ciphertexts. 

Functional  encryption  seems  to  offer  the  perfect  non-interactive  solution  to  many  problems 
which  arise  in  the  context  of  delegating  services  to  outside  servers.  A  typical  example  is  the 
delegation  of  spam  filtering  to  an  outside  server  as  follows:  Alice  publishes  her  public  key 
online  and  gives  the  spam  filter  a  key  for  the  filtering  function;  users  sending  email  to  Alice 
will  encrypt  the  email  with  her  public  key.  The  spam  filter  can  now  determine  by  itself,  for 
each  email,  whether  to  pass  it  along  to  Alice’s  mailbox  or  to  deem  it  as  spam,  but  without 
ever  learning  anything  else  about  Alice’s  email.  This  example  inherently  requires  computing  a 
function  /  on  a  single  ciphertext. 

Multi-Input  Functional  Encryption.  It  is  less  clear,  however,  how  to  define  or  achieve 
functional  encryption  in  the  context  of  computing  a  function  defined  over  multiple  plaintexts 
given  their  corresponding  ciphertexts,  or  further,  given  their  ciphertexts  each  encrypted  under 
a  different  key.  Yet,  these  settings,  which  we  formalize  as  Multi-Input  Functional  Encryption 
(MI-FE) ,  encompass  a  vast  landscape  of  applications,  going  way  beyond  delegating  computation 
to  an  untrusted  server  or  cloud.  Multi-input  functional  is  a  very  general  tool  for  computing 
on  encrypting  data,  which  allows  for  mining  aggregate  information  from  several  different  data 
sources  (rather  than  just  a  single  source  as  in  single  input  functional  encryption). 

Let  us  begin  by  clarifying  the  setting  of  Multi-Input  Functional  Encryption:  Let  /  be  an 
n-ary  function  where  n  >  1  can  be  a  polynomial  in  the  security  parameter.  In  MI-FE,  the 
owner  of  a  master  secret  key  MSK  can  derive  special  keys  SKj  whose  knowledge  enables  the 
computation  of  f(x i, . . . ,  xn)  from  n  ciphertexts  CTi, . . . ,  CT„  of  underlying  messages  x\, . . . ,  xn 
with  respect  to  the  same  master  secret  key  MSK.  We  allow  the  different  ciphertexts  Ci  to  be  each 
encrypted  under  a  different  encryption  key  EK,;  to  capture  the  setting  in  which  each  ciphertext 
was  generated  by  an  entirely  different  party. 

Let  us  illustrate  a  few  settings  that  illustrate  the  applicability  of  MI-FE. 

Example  1:  Running  SQL  Queries  on  Encrypted  Database.  Suppose  we  have  an 
encrypted  database.  A  natural  goal  in  this  scenario  would  be  to  allow  a  party  Alice  to  perform 
a  certain  class  of  general  SQL  queries  over  this  database  (e.g.,  Alice  may  only  be  authorized 
to  access  records  created  on  a  certain  date).  If  we  use  ordinary  functional  encryption,  Alice 
would  need  to  obtain  a  separate  secret  key  for  every  possible  valid  SQL  query,  a  potentially 
exponentially  large  set.  Multi- input  functional  encryption  allows  us  to  address  this  problem  in 
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a  flexible  way.  We  highlight  two  aspects  of  how  MI-FE  can  apply  to  this  example: 

•  Let  /  be  the  function  where  f(Q ,  x)  first  checks  if  Q  is  a  valid  SQL  query  from  the  allowed 
class,  and  if  so  f(Q,  x )  is  the  output  of  the  query  Q  on  the  database  x.  Now,  if  we  give  the 
secret  key  SKf  and  the  encryption  key  EKi  to  Alice,  then  Alice  can  choose  a  valid  query 
Q  and  encrypt  it  under  her  encryption  key  EKi  to  obtain  ciphertext  CTi.  Then  she  could 
use  her  secret  key  SKf  on  ciphertexts  CTi  and  CT2,  where  CT2  is  the  encrypted  database, 
to  obtain  the  results  of  the  SQL  query. 

•  Furthermore,  if  the  database  is  dynamic  (rather  than  static)  with  individual  entries  being 
added,  modified,  or,  deleted,  the  most  natural  way  to  build  such  a  database  would  be  to 
have  different  ciphertexts  for  each  entry  in  the  database.  In  this  case,  for  a  database  of 
size  n,  we  could  let  /  be  an  {n  +  l)-ary  function  where  f(Q ,  aq, . . . ,  xn)  is  the  result  of  a 
(valid)  SQL  query  Q  on  the  database  (aq, . . . ,  xn). 

Example  2:  Computing  over  Encrypted  Data  Stream.  Suppose  ciphertexts  correspond  to 
a  stream  of  encrypted  phone  calls  (or  video  frames  produced  by  surveillance  cameras) ,  produced 
separately  by  several  different  devices.  Law  enforcement  agencies  may  require  the  ability  to  run 
algorithms  which  check  the  calls  or  videos  for  suspicious  activities  (these  algorithms  need  to 
analyze  sequences  of  calls  or  frames  rather  than  individual  calls/frames)  in  which  case  (and  only 
in  this  case)  court  orders  can  be  obtained  to  decrypt  the  phone  calls  (or  videos)  in  their  entirety. 
Here,  the  need  is  to  compute  a  function  . . .  ,pn)  where  Pi  is  the  f th  phone  call,  encrypted 
to  form  the  ciphertext  Ci  . 

More  generally,  suppose  ciphertexts  c\, ...  ,cn  correspond  to  a  list  of  encrypted  inputs  to 
some  algorithm,  e.g.  a  list  of  edges  aq,. . .  ,xn  in  a  graph  for  a  routing  algorithm  /.  Then,  we 
need  to  run  the  algorithm  /(aq, . . .  ,xn)  across  multiple  ciphertexts.  It  is  likely  that  this  type 
of  algorithm  would  be  the  rule  rather  than  the  exception  in  the  context  of  algorithms  run  over 
large  inputs. 

Example  3:  Non-Interactive  Differentially  Private  Data  Release.  Suppose  there  are 
several  hospitals  each  of  which  holds  a  collection  of  individual  blood  samples.  They  would  like 
to  participate  in  clinical  trials  performed  by  various  researchers.  The  hospitals  cannot  simply 
release  the  blood  samples  records  because  of  various  patient  privacy  laws.  However,  the  hospitals 
are  willing  to  allow  a  clinical  study  researcher  to  compute  an  aggregate  function  /  over  multiple 
samples  aq  to  learn  y  =  /(aq, . . . ,  xn)  as  long  as  /  achieves  a  sufficient  level  of  privacy. 

While  such  a  scenario  is  addressed  by  differential  privacy  |DMNS06j.  existing  solutions 
require  each  hospital  to  interact  with  the  researcher  in  every  trial  (potentially  via  a  multi¬ 
party  computation  protocol  when  several  hospitals  are  involved).  Indeed,  it  is  known  that 
non-cryptographic  methods  for  allowing  the  hospitals  to  non-interactively  prepare  their  records 
in  a  way  that  would  later  allow  for  meaningful  and  diverse  research  studies  must  incur  high 
accuracy  loss  [DNR+09]. 

Multi-input  functional  encryption  can  address  this  problem  by  having  the  hospitals  encrypt 
the  samples  aq  to  obtain  ciphertexts  CT,,  and  publish  all  the  ciphertexts.  This  step  can  be 
performed  by  the  hospitals  non-interactively  before  any  research  trial  /  is  decided  (in  contrast 
to  the  standard  differential-privacy  setting  where  /  is  decided  upon  first  and  then  the  “differ¬ 
entially  private”  information  collection  algorithm  takes  place).  Later,  a  researcher  who  wishes 
to  compute  an  algorithm  f  (that  is  guaranteed  to  provide  sufficient  privacy)  would  be  given  a 
secret  key  SK f  (potentially  by  a  trusted  agency  such  as  the  government)  that  she  can  use  to 
obtain  the  output  of  her  algorithm  on  the  blood  samples.  In  this  manner,  we  can  obtain  high 
accuracy  while  still  guaranteeing  good  (computational)  privacy. 

We  remark  that  this  example  requires  MI-FE  to  support  randomized  functionalities.  Our 
positive  results,  discussed  later,  handle  this  case. 

Example  4:  Multi-client  Delegation  of  Computation.  In  a  multi-client  delegation  scheme 
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[CKKC13],  multiple  weak  clients  C\, ... ,  Cn  wish  to  jointly  delegate  the  computation  of  an  n- 
ary  function  /  on  their  inputs  Xi, ...  ,xn  to  a  computationally  powerful  server.  The  efficiency 
requirement  of  a  delegation  scheme  is  that  the  computation  of  the  clients  should  be  independent 
of  the  size  of  /.  From  a  security  viewpoint,  we  require  that  a  dishonest  server  should  not  be 
able  to  convince  the  (honest)  clients  on  an  incorrect  output. 

Multi-input  functional  encryption  provides  a  natural  solution  to  this  problem  similar  to  how 
single-input  functional  encryption  provides  a  solution  for  single-client  delegation  of  computation 
IPRV12I IGVW13I  lGGH+13bl  lGKP+13bl  lGGH+13a] .  Details  of  this  are  provided  in  Section 

EE31 

Our  Goal.  As  these  examples  illustrate,  extending  the  scope  of  functional  encryption  to 
address  functions  defined  over  multiple  ciphertexts  can  be  highly  beneficial.  In  short,  it  could 
provide  a  non-interactive  method  to  compute  n-ary  functions  on  encrypted  inputs  (possibly 
by  different  parties),  analogously  to  interactive  multi-party  secure  computations  defined  over 
multiple  inputs  held  by  n  different  parties. 

Extending  functional  encryption  to  address  the  multi-input  setting  is  the  focus  of  this  work. 

1.1  This  paper 

This  paper  is  dedicated  to  the  study  of  multi-input  functional  encryption,  starting  with  for¬ 
malizations  of  security.  We  provide  both  feasibility  results  and  negative  results  with  respect  to 
different  definitions  of  security.  Following  the  single-input  setting,  we  consider  two  notions  of 
security,  namely,  indistinguishability-based  security  (or  IND  security  for  short)  and  simulation- 
based  security  (or  SIM  security  for  short). 

1.1.1  Indistinguishability-based  Security 

We  start  by  considering  the  notion  of  indistinguishability-based  security  for  functional  encryp¬ 
tion  for  n- ary  functions:  Informally  speaking,  in  IND  security  for  MI-FE,  we  consider  a  game 
between  a  judge  and  an  adversary.  First,  the  judge  generates  the  master  secret  key  MSK,  n  en¬ 
cryption  keys  {EKi, . . . ,  EK„}  and  gives  to  the  adversary  a  subset  of  the  encryption  keys  (chosen 
by  the  adversary).  Then  the  adversary  can  request  any  number  of  secret  keys  SK f  for  functions 
/  of  her  choice.  Next,  the  adversary  declares  two  “challenge  vectors”  X°  and  X1,  where  every 
Xf  £  Xb  is  a  set  of  plaintexts  {x^1: . . . ,  x\  n}.  The  judge  chooses  a  bit  b  at  random,  and  for 
each  j  £  [n],  the  judge  encrypts  every  element  x\ ?  of  X 'f  (for  every  i)  using  encryption  key  EKj 
to  obtain  a  tuple  of  “challenge  ciphertexts”  CT,  which  is  given  to  the  adversary.  After  this, 
the  adversary  can  again  request  any  number  of  secret  keys  SK f  for  functions  /  of  her  choice. 
Finally,  the  adversary  has  to  guess  the  bit  b  that  the  judge  chose. 

If  the  adversary  has  requested  a  secret  key  for  any  function  /  such  that  there  exist  splitting 
input  vectors  y°  and  y1  that  satisfy  the  following  two  properties: 

1.  For  every  j  £  [n],  either  3 i  such  that  y*-  £  X\  or  the  adversary  has  EKj,  and 

2.  f(jp)  ^  f{y% 

then  the  adversary  loses  the  game  -  because  the  legitimate  functionalities  that  he  has  access  to 
already  allow  him  to  distinguish  between  the  scenario  where  b  =  0  and  6=1.  If  the  adversary 
never  queries  a  secret  key  for  such  a  function  but  nevertheless  guesses  6  correctly,  we  say  that 
she  wins.  The  IND  security  definition  requires  that  the  adversary’s  probability  of  winning  be  at 
most  negligibly  greater  than 

This  definition  generalizes  the  indistinguishability-based  definition  of  (single-input)  func¬ 
tional  encryption,  which  was  historically  the  first  security  notion  considered  for  functional  en¬ 
cryption  |ISW05) .  Informally  speaking,  this  definition  captures  an  information-theoretic  flavor  of 
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security,  where  the  adversary  should  not  learn  anything  beyond  what  is  information-theoretically 
revealed  by  the  function  outputs  it  can  obtain. 

With  regards  to  IND-secure  MI-FE,  we  obtain  the  following  results: 

IND-secure  MI-FE  from  Indistinguishability  Obfuscation.  Assume  the  existence 
of  an  indistinguishability  obfuscator  lBGI+0l|  for  general  circuits  (the  first  candidate  construc¬ 
tion  for  the  same  was  recently  put  forward  by  |GGH+13a]I  and  one-way  functions,  we  provide  a 
construction  for  IND-secure  MI-FE  for  general  circuits  for  any  polynomial-size  challenge  vectors, 
with  any  subset  of  encryption  keys  given  to  the  adversary.  Furthermore,  our  construction  has 
security  when  the  adversary  can  obtain  any  unbounded  polynomial  number  of  secret  keys  SK^-. 
We  prove  the  security  in  the  selective  model,  where  where  the  adversary  must  begin  by  declaring 
the  challenge  vectors.  By  using  complexity  leveraging  (and  thereby  assuming  sub-exponentially 
secure  indistinguishability  obfuscation  and  sub-exponentially  secure  one-way  functions,  we  can 
achieve  full  security  in  a  standard  manner. 


Compact  IND-secure  MI-FE  from  Differing-Inputs  Obfuscation.  Our  first  con¬ 
struction  only  supports  challenge  vectors  with  an  a  priori  fixed  (polynomial)  size  q.  In  particular, 
the  size  of  the  encryption  keys  and  ciphertexts  in  the  scheme  grows  with  q.  Towards  this  end, 
assuming  the  existence  of  the  stronger  notion  of  differing-inputs  obfuscation  )BGI+01  and  one¬ 
way  functions,  we  provide  a  second  construction  for  IND  secure  MI-FE  with  “compact”  keys 
and  ciphertexts,  i.e.,  the  size  of  the  keys  and  ciphertexts  in  the  scheme  is  independent  of  q. 
Further,  we  directly  prove  full  security  of  our  scheme  against  adversaries  that  know  any  subset 
of  encryption  keys  and  an  unbounded  polynomial  number  of  secret  keys  SK f. 


IND-secure  MI-FE  implies  Indistinguishability  Obfuscation.  Finally,  we  show 
that  the  existence  of  I N  D-secure  MI-FE  for  general  circuits  implies  the  existence  of  an  indistin¬ 
guishability  obfuscator  for  general  circuits,  even  when: 

1.  The  MI-FE  scheme  is  only  secure  against  adversaries  that  can  obtain  a  single  secret  key. 

2.  The  adversary  does  not  know  any  encryption  keys,  i.e.,  the  MI-FE  scheme  is  a  secret-key 
scheme. 


This  stands  in  stark  contrast  to  the  single-input  setting,  where  SSlOl  showed  how  to  obtain 
single-key  secure  (single  input)  functional  encryption  for  all  circuits,  under  only  the  assumption 
that  public-key  encryption  exists.  Indeed,  further  research  in  single-key  security  for  functional 
encryption  has  largely  focused  on  efficiency  issues  [GKP+13b|  lGKP+13a]  such  as  succinctness 
of  ciphertexts,  that  enable  new  applications.  In  the  setting  of  multi-input  security,  in  contrast, 
even  single  key  security  must  rely  on  the  existence  of  indistinguishability  obfuscation. 


1.1.2  Simulation-based  security 

In  simulation-based  security,  informally  speaking,  we  require  that  every  adversary  can  be  sim¬ 
ulated  using  only  oracle  access  to  the  functions  /  for  which  the  adversary  obtains  secret  keys, 
even  when  it  can  obtain  a  set  of  “challenge”  ciphertexts  corresponding  to  unknown  plaintexts 
-  about  which  the  simulator  can  only  learn  information  by  querying  the  function  /  at  these 
unknown  plaintexts.  We  highlight  two  natural  settings  for  the  study  of  SIM-secure  MI-FE:  (1) 
the  setting  where  an  adversary  has  access  to  an  encryption  key  (analogous  to  the  public-key 
setting),  and  (2)  the  setting  where  the  adversary  does  not  have  access  to  any  encryption  keys 
(analogous  to  the  secret  key  setting).  The  security  guarantees  which  are  achievable  in  these 
settings  will  be  vastly  different  as  illustrated  below. 

Several  works  [BSWIII  IAGVW13I  iBOPtl  ICT.T+13j  have  shown  limitations  on  parameters 
with  respect  to  which  SIM  security  can  be  achieved  for  single-input  functional  encryption.  For 
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multi-input  functional  encryption,  due  to  the  connection  to  obfuscation  discussed  above,  the 
situation  for  SIM  security  is  more  problematic.  We  provide  the  following  results  for  SIM-secure 
MI-FE: 

SIM-secure  MI-FE  implies  Virtual  Black-Box  Obfuscation.  We  first  show  that 
SIM-secure  MI-FE  implies  virtual  black-box  (VBB)  obfuscation  in  various  settings.  Specifically, 
we  show: 

1.  If  there  exists  a  secret-key  MI-FE  scheme  for  general  circuits  that  achieves  SIM  security 
against  adversaries  that  request:  (a)  a  single  key  for  a  general  function  /  and  (b)  a  set  of 
challenge  ciphertexts  that  can  (informally  speaking)  form  a  super-polynomial  number  of 
potential  inputs  to  /,  then  VBB  obfuscation  must  be  possible  for  general  circuits. 

2.  If  there  exists  an  MI-FE  scheme  for  2-ary  functions  that  achieves  SIM  security  against 
adversaries  that  request:  (a)  a  single  key  for  a  2-ary  function,  and  (b)  one  of  the  two 
encryption  keys  and  one  challenge  ciphertext,  then  VBB  obfuscation  must  be  possible  for 
general  circuits. 

Since  VBB  obfuscation  is  known  to  be  impossible  for  general  circuits  |BGI+0l].  this  yields  us 
impossibility  results  for  SIM-secure  MI-FE  beyond  those  known  in  the  single-input  setting.  See 
Section  [6]  for  details. 

SIM-secure  Secret-Key  MI-FE  against  Unbounded  Collusions.  In  light  of  these 
negative  results,  the  only  hope  for  obtaining  a  positive  result  lies  in  a  situation  where:  (a)  no 
encryption  keys  are  given  to  the  adversary,  and  (b)  the  challenge  ciphertexts  given  to  the 
adversary  can  only  form  a  polynomial  number  of  potential  inputs  to  valid  functions. 

Towards  this  end,  assuming  one-way  functions  and  indistinguishability  obfuscation,  for  any 
fixed  polynomial  bound  q  on  the  size  of  challenge  plaintexts,  we  give  a  construction  for  SIM- 
secure  secret-key  MI-FE  for  general  circuits  against  adversaries  that  can  obtain  an  unbounded 
polynomial  number  of  secret  keys  SK /  after  obtaining  the  challenge  ciphertexts.  The  size  of  the 
encryption  keys  and  ciphertexts  in  this  scheme  grows  with  q. 

We  also  provide  another  construction  based  on  one-way  functions  and  differing-inputs  obfus¬ 
cation  that  achieves  the  same  security  guarantees  as  above.  The  encryption  keys  and  ciphertexts 
in  this  scheme  are  “compact”,  i.e.,  their  sizes  are  independent  of  q. 

1.1.3  Extensions  and  Applications 

MI-FE  for  Randomized  Functions.  Very  recently,  Goyal  et  al.  [GJKS13]  first  studied 
the  question  of  constructing  single-input  functional  encryption  schemes  for  randomized  function¬ 
alities.  By  building  on  their  techniques,  we  show  how  to  extend  our  positive  results  to  handle 
general  n-ary  randomized  functionalities.  In  particular,  this  allows  us  to  obtain  a  non-interactive 
computationally  differentially  private  mechanism,  as  discussed  earlier. 

MI-FE  for  Turing  Machines.  The  problem  of  single-input  functional  encryption  for 
turing  machines  was  first  studied  by  Goldwasser  et  al.  |GKP+13al.  Very  recently,  Boyle  et  al. 
(BGPISj  and  Ananth  et  al.  |ABG+13]  provide  constructions  of  single-input  functional  encryption 
for  turing  machines  against  an  unbounded  polynomial  number  of  key  queries.  We  observe  that 
their  techniques  can  be  leveraged  to  extend  our  results  to  MI-FE  for  turing  machines,  thereby 
achieving  input- specific  running  times.  The  resulting  construction  would  inherit  from  these 
works  the  underlying  assumptions  of  differing-inputs  obfuscation,  succinct  non-interactive  argu¬ 
ment  of  knowledge  (SNARK)  [BCCT12].  fully-homomorphic  encryption  IGenOQI  and  collision- 
resistant  hash  functions.  We  omit  the  details  from  this  manuscript  and  refer  the  reader  to 
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Hierarchical  MI-FE.  The  notion  of  hierarchical  identity-based  and  attribute-based  en¬ 
cryption  is  well  studied  in  the  literature  (see  e.g.,  |GS02.  IBW061  lLQS+10|h  In  the  context 
of  (single- input)  functional  encryption,  this  problem  is  stated  as  follows:  We  require  that  the 
owner  of  a  secret  key  SK f  can  derive  new  keys  corresponding  to  any  function  g  that  can  defined 
as  a  composition  of  f  on  /  (i.e.,  f  o  /)  for  some  function  f. 

Recently,  [ABG+13]  observe  that  the  construction  |GGH+13a]  is  already  flexible  enough  to 
yield  a  hierarchical  (single- input)  functional  encryption  scheme.  We  note  that  the  same  ideas 
carry  over  to  our  constructions  of  MI-FE.  We  refer  the  reader  to  [ABG+13]  for  details. 

Multi-Client  Delegation  of  Computation.  Here  we  briefly  discuss  how  an  MI-FE 
scheme  provides  a  solution  for  multi-client  delegation  of  computation.  We  follow  the  approach 
of  Parno  et  al.  |PRV12'.  adapted  to  the  multi-client  setting.  Given  an  MI-FE  scheme,  the 
clients  first  participate  in  a  pre-processing  phase  where  they  jointly  compute  two  pairs  of  master 
secret  and  encryption  keys  (MSKi,  EKi),  (MSK2,  EK2)  and  random  values  (ri,r2).  Let  /  be  the 
function  that  the  clients  wish  to  delegate.  The  clients  use  MSKi  to  compute  a  secret  key  SKg  for 
a  function  g  that  takes  as  input  n  tuples  (xi,  r), . . . ,  [xn,  r)  and  outputs  r  if  f(x i, . . . ,  xn)  =  1. 
Similarly,  the  clients  use  MSK2  to  compute  a  secret  key  SKg  for  the  function  g  that  is  the  same 
as  g  except  that  it  outputs  r  if  f(x i, . . .  ,xn)  =  0.  While  these  are  computationally  expensive 
operations,  note  that  this  phase  is  executed  only  once.  The  keys  SKg  and  SKg  are  sent  over  to 
the  worker. 

Later,  in  an  “online”  phase,  when  the  clients  wish  to  compute  /  on  a  set  of  inputs  xi, . . . ,  xn, 
each  client  Ct  sends  over  encryption  of  (xi,ri)  under  key  MPKi  and  (xi,r2)  under  MPK2  to  the 
worker.  Now,  from  the  properties  of  the  MI-FE  scheme,  it  follows  that  if  /(x i, . . . ,  xn ),  then  the 
server  would  obtain  r\  using  SKg  and  T  using  SKg  and  no  information  about  r2  (and  vice-versa, 
if  /(x i, . . . ,  xn )  =  0).  Thus,  rq  provides  a  proof  of  the  fact  that  the  function  output  is  lQ 

The  main  advantage  of  this  approach  is  that  the  online  phase  is  non-intractive :  each  client 
can  execute  the  online  phase  independently  of  the  other  clients,  without  any  interaction. 

1.1.4  Our  Techniques 

We  have  several  results  in  this  work,  but  to  provide  a  flavor  of  the  kind  of  difficulties  that  arise 
in  the  MI-FE  setting,  we  now  discuss  some  of  the  issues  that  we  deal  with  in  the  context  of  our 
positive  result  for  IND-secure  MI-FE.  (We  note  that  similar  issues  arise  in  our  positive  results 
for  SIM-secure  MI-FE.) 

The  starting  point  for  our  construction  and  analysis  is  the  recent  single-input  functional  en¬ 
cryption  scheme  for  general  circuits  based  on  indistinguishability  obfuscation  due  to  |GGH+13al . 
However,  the  central  issue  that  we  must  deal  with  is  one  that  does  not  arise  in  their  context: 
Recall  that  in  the  indistinguishability  security  game,  the  adversary  is  allowed  to  get  secret  keys 
for  any  function  /,  as  long  as  this  function  does  not  “split”  the  challenge  vectors  X°  and  X1. 
That  is,  as  long  as  it  is  not  the  case  that  there  exist  vectors  of  plaintexts  x°  and  x1  where 
for  every  i  £  [ n ],  either  there  exists  j  such  that  x\  £  X ij  or  the  adversary  has  EK,,  such  that 
f{x° )  fix1).  A  crucial  point  here  is  what  happens  for  an  index  i  where  the  adversary  does 
not  have  EK,.  Let  us  consider  an  example  with  a  3-ary  function,  where  the  adversary  has  EKi, 
but  neither  EK2  nor  EK3. 

Suppose  the  challenge  ciphertexts  (CTi,  CT2,  CT3)  are  encryptions  of  either  (y?,y2,y3)  or 
(y{,  1/2 iVl)-  Now,  any  function  /  that  the  adversary  queries  is  required  to  be  such  that  /(•,  j/2,  j/3)  = 
/(■i  2/2)  2/3)  and  /(2/1 , 2/2)  2/°)  =  / (2/1 )  2/2)  2/3)-  However,  there  may  exist  an  input  plaintext  (say)  z 
such  that  fiyi,  y°,  z)  ^  f(yl,  J/2,  z).  This  is  not  “supposed”  to  be  a  problem  because  the  adver¬ 
sary  does  not  have  EK3,  and  therefore  it  cannot  actually  query  /  with  z  as  its  third  argument. 

xWe  note  that  this  solution  easily  extends  to  functions  with  multi-bit  outputs.  See  IPRV12I  for  details. 
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However,  in  the  obfuscation-based  approach  to  functional  encryption  of  lGGH+13al  that  we 
build  on,  the  secret  key  for  /  is  essentially  built  on  top  of  an  obfuscation  of  /.  Let  CT*  denote 
an  encryption  of  z  w.r.t.  EK3.  Then,  informally  speaking,  in  one  of  our  hybrid  experiments,  we 
will  need  to  move  from  an  obfuscation  that  on  input  (CT1;  CT2,  CT*)  would  yield  the  output 
/(2/i>Z/2>2)  t°  another  obfuscation  that  on  the  same  input  would  yield  the  output  f(y\,y2,z). 
Again,  while  an  adversary  may  not  be  able  explicitly  perform  such  a  decryption  query,  since  we 
are  building  upon  indistinguishability  obfuscation  -  which  only  guarantees  that  obfuscations  of 
circuits  that  implement  identical  functions  are  indistinguishable  -  such  a  hybrid  change  would 
not  be  indistinguishable  since  we  know  that  /(?/i ,  y2, 2)  ^  f(ul,ybz)  are  not  identical.  (We 
remark  that  we  must  address  this  issue  even  when  using  differing-inputs  obfuscation  in  order  to 
obtain  a  formal  contradiction.) 

Solving  this  problem  is  the  core  technical  aspect  of  our  constructions  and  their  analysis.  At 
a  very  high  level,  we  address  this  problem  by  introducing  a  new  “flag”  value  that  can  change 
the  nature  of  the  function  /  that  we  are  obfuscating  to  “disable”  all  plaintexts  except  for  the 
ones  that  are  in  the  challenge  vectors.  We  describe  the  details  and  our  analysis  in  Section  [4j 


1.2  Related  Works 


Single-input  Functional  Encryption.  The  notion  of  (single-input)  functional  encryp¬ 
tion  was  developed  in  a  sequence  of  works  |SW051  IGPSWOBl  IBW071 IKSW081  lLQS+10l  IBSW111 
IQ’NlOj.  For  general  functions,  [ISS1Q]  first  showed  how  to  obtain  single-key  SIM-secure  FE 
based  on  standard  public-key  encryption.  Gorbunov  et  al  iGVW12j  showed  how  to  obtain 
SIM-secure  FE  for  general  circuits  for  a  polynomially  bounded  number  of  (non-adaptive)  key 
queries,  based  on  public- key  encryption  and  pseudorandom  generators  in  NC1.  Goldwasser  et 
al.  jGKP+13bj  improved  this  result  to  obtain  constructions  with  “compact”  ciphertexts  based 
on  sub-exponential  learning  with  errors  assumption.  Garg  et  al.  }GGH+13a]  construct  an  IND- 
secure  FE  scheme  based  on  indistinguishability  obfuscation  and  one-way  functions,  that  supports 
an  unbounded  polynomial  number  of  ciphertexts  and  key  queries.  Combining  their  result  with 
ICI.T+131.  one  can  obtain  SIM-secure  FE  for  general  circuits  supporting  an  unbounded  number 
of  (adaptive)  key  queries. 

Goldwasser  et  al.  [GKP+13a  give  a  construction  of  an  FE  scheme  for  turing  machines  based 


on  extractable  witness  encryption  |GGSW13|  and  SNARK  IBCCT12I.  Recently,  the  works  of 
Boyle  et  al.  lBCP13j  and  Ananth  et  al.  |ABG+13]  provide  constructions  of  functional  encryption 
for  turing  machines,  supporting  an  unbounded  number  of  key  queries.  Both  of  these  results  rely 
on  the  notion  of  differing-inputs  obfuscation,  introduced  by  Barak  et  al.  Ibgi+oi|  (and  some 


other  assumptions;  see  Section  1.1.31.  We  note  that  our  usage  of  differing-inputs  obfuscation  is 
very  similar  to  |BCP131  lABG+13']. 


Order-Preserving  Encryption.  The  notion  of  order-preserving  encryption  was  intro¬ 
duced  by  Boldyreva  et  al.  [BCLQ09],  Very  roughly,  in  an  order-preserving  encryption  scheme, 
for  any  two  plaintexts  X\  and  x-i  such  that  x\  >  X2,  the  encryptions  of  X\  and  X2  must  also  satisfy 
the  same  order  relationship.  Thus,  given  two  ciphertexts  CT  1  and  CT2,  one  can  simply  compare 
them  to  (publicly)  determine  the  order  relationship  between  their  underlying  plaintexts. 

Positive  results  for  order-preserving  encryption  were  given  by  [BCLQ091.  BCOll].  These 
results,  however,  achieve  very  weak  security  guarantees  (in  particular,  they  show  that  an  order¬ 
preserving  encryption  scheme  cannot  achieve  IND  security).  We  note  that  one  can  cast  the 
problem  of  computing  order  relationships  between  (encrypted)  plaintexts  as  multi-input  function 
encryption  for  comparison  functionality.  Specifically,  instead  of  requiring  that  ciphertexts  obey 
the  same  order  relationship  as  their  underlying  plaintexts,  we  can  now  release  secret  keys  to 
enable  the  computation  of  order  relationship  between  encrypted  plaintexts.  This  allows  us  to 
achieve  IND  security  as  well  as  SIM  security,  both  of  which  provide  much  stronger  guarantees 
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than  (BCLQ09, IBCOllj.  Indeed,  achieving  stronger  security  guarantees  in  this  context  was  left 
as  an  open  problem  by  IBCLOOOl  IBCOllj . 


Property-Preserving  Encryption.  Recently,  Pandey  and  Rouselakis  [PR121  studied  the 
problem  of  property-preserving  encryption  as  a  generalization  of  order-preserving  encryption. 
As  above,  we  note  that  this  problem  can  be  viewed  as  a  multi-input  functional  encryption,  where 
the  function  family  is  determined  by  the  class  of  properties  that  one  wishes  to  support.  Again, 
we  note  that  the  security  definitions  considered  in  [PR.12j  are  weaker  than  what  we  consider 
in  this  work.  In  particular,  this  is  because  we  do  not  require  the  ciphertexts  to  satisfy  the 
same  property  as  their  underlying  plaintexts;  instead  in  our  setting,  given  a  secret  key  SK f 
for  a  property  /,  one  can  test  /  on  the  plaintexts  via  a  joint  decryption  of  the  corresponding 
ciphertexts. 

1.3  Organization 

The  rest  of  this  paper  is  organized  as  follows.  We  start  by  presenting  our  definitions  for  multi¬ 
input  functional  encryption  in  Section[2j  Next,  in  Section[3j  we  recall  the  definitions  for  various 
cryptographic  primitives  used  in  our  constructions.  We  then  present  our  constructions  for  multi¬ 
input  functional  encryption  in  Section  [4]  and  Section  [5j  In  Section  [6j  we  show  how  to  construct 
general  obfuscation  from  multi-input  functional  encryption  and  also  provide  impossibility  re¬ 
sults  for  SIM-secure  MI-FE.  Finally,  we  discuss  how  to  extend  our  positive  results  to  handle 
randomized  functionalities  in  Section  [7] 

2  Multi-Input  Functional  Encryption 

In  this  work,  we  study  functional  encryption  for  n-ary  functions,  where  n  >  1  (and  in  gen¬ 
eral,  a  polynomial  in  the  security  parameter).  In  other  words,  we  are  interested  in  encryption 
schemes  where  the  owner  of  a  “master”  secret  key  can  generate  special  keys  SK f  that  allow 
the  computation  of  /(aq, . . . ,  xn)  from  n  ciphertexts  CTj, . . . ,  CT„  corresponding  to  messages 
Xi, ...  ,xn,  respectively.  We  refer  to  such  an  encryption  scheme  as  multi-input  functional  en¬ 
cryption.  Analogously,  we  will  refer  to  the  existing  notion  of  functional  encryption  (that  only 
considers  single-ary  functions)  as  single-input  functional  encryption. 

Intuitively,  while  single- input  functional  encryption  can  be  viewed  as  a  specific  (non-interactive) 
way  of  performing  two-party  computation,  our  setting  of  multi-input  functional  encryption  cap¬ 
tures  multiparty  computation.  Going  forward  with  this  analogy,  we  are  interested  in  modeling 
the  general  scenario  where  the  n  input  ciphertexts  are  computed  by  n  different  parties.  This 
raises  the  following  two  important  questions: 

1.  Do  the  parties  (i.e.,  the  encryptors)  share  the  same  encryption  key  or  do  they  use  different 
encryption  keys  EK,  to  compute  input  ciphertexts  CTj. 

2.  Are  the  encryption  keys  secret  or  public? 

As  we  shall  see,  these  questions  have  important  bearing  on  the  security  guarantees  that  can  be 
achieved  for  multi-input  functional  encryption. 

Towards  that  end,  we  present  a  general,  unified  syntax  and  security  definitions  for  multi¬ 
input  functional  encryption.  We  consider  encryption  systems  with  n  encryption  keys,  some  of 
which  may  be  public,  while  the  rest  are  secret.  When  all  of  the  encryption  keys  are  public,  then 
this  represents  the  “public- key”  setting,  while  when  all  the  encryption  keys  are  secret,  then 
this  represents  the  “secret-key”  setting.  Looking  ahead,  we  remark  that  our  modeling  allows 
us  to  capture  the  intermediary  cases  between  these  two  extremes  that  are  interesting  from  the 
viewpoint  of  the  security  guarantees  possible. 
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The  rest  of  this  section  is  organized  as  follows.  We  first  present  the  syntax  and  correctness 
requirements  for  multi-input  FE  in  Section  2.1).  Then,  in  Section  2.2  we  present  our  security 
definitions  for  multi-input  FE. 


2.1  Syntax 

Throughout  the  paper,  we  denote  the  security  parameter  by  k.  Let  X  =  {Xk}keW  and  y  = 
{34}fceN  be  ensembles  where  each  Xk  and  34  is  a  finite  set.  Let  T  =  {J4}fceN  be  an  ensemble 
where  each  J~k  is  a  finite  collection  of  n-ary  functions.  Each  function  /  £  Tk  takes  as  input  n 
strings  aq, . . . ,  xn,  where  each  aq  £  Xk  and  outputs  f{x i, . . . ,  xn)  £  yk. 

A  multi-input  functional  encryption  scheme  TE  for  T  consists  of  four  algorithms  (FE. Setup, 
FE.Enc,  FE. Keygen,  FE.Dec)  described  below. 

•  Setup  FE.Setup(lfe,  n)  is  a  PPT  algorithm  that  takes  as  input  the  security  parameter  k 
and  the  function  arity  n.  It  outputs  n  encryption  keys  EKi, . . . ,  EK„  and  a  master  secret 
key  MSK. 

•  Encryption  FE.Enc(EK,  x)  is  a  PPT  algorithm  that  takes  as  input  an  encryption  key 
EKi  €  (EKi, . . . ,  EK„)  and  an  input  message  x  £  Xk  and  outputs  a  ciphertext  CT. 

In  the  case  where  all  of  the  encryption  keys  EK^  are  the  same,  we  assume  that  each 
ciphertext  CT  has  an  associated  label  i  to  denote  that  the  encrypted  plaintext  constitutes 
an  Pth  input  to  a  function  f  £  Tk.  For  convenience  of  notation,  we  omit  the  labels  from  the 
explicit  description  of  the  ciphertexts.  In  particular,  note  that  when  EK,  ’s  are  distinct ,  the 
index  of  the  encryption  key  EK,;  used  to  compute  CT  implicitly  denotes  that  the  plaintext 
encrypted  in  CT  constitutes  an  Pth  input  to  /,  and  thus  no  explicit  label  is  necessary. 

•  Key  Generation  FE.Keygen(MSK,  /)  is  a  PPT  algorithm  that  takes  as  input  the  master 
secret  key  MSK  and  an  n-ary  function  /  £  Tk  and  outputs  a  corresponding  secret  key  SK /. 

•  Decryption  FE.Dec(SK/,  CTi, . . . ,  CT„)  is  a  deterministic  algorithm  that  takes  as  input 
a  secret  key  SK /  and  n  ciphertexts  CT.,, . . . ,  CT„  and  outputs  a  string  y  £  34- 

Definition  1  (Correctness).  A  multi-input  functional  encryption  scheme  TE  for  T  is  correct 
if  for  all  f  £  Tk  and  all  (aq, . . . ,  xn )  £  Xk  : 


Pr 


(EK,  MSK)  <-  FE.Setup(lfe)  ;  SK/  <-  FE.Keygen(MSK, /)  ; 

FE.Dec  (SK/,  FE.Enc  (EKi,  aq) , . . . ,  FE.Enc  (EK„,  xn))  ^  /(aq, . . . ,  xn) 


=  negl(fe) 


where  the  probability  is  taken  over  the  coins  o/FE. Setup,  FE. Keygen  and  FE.Enc. 


2.2  Security  for  Multi-Input  Functional  Encryption 

We  now  present  our  security  definitions  for  multi-input  functional  encryption.  Following  the 
literature  on  single-input  FE,  we  consider  two  notions  of  security,  namely,  indistinguishability- 
based  security  (or  I N D-security,  in  short)  and  simulation-based  security  (or  SIM-security,  in 
short). 

Notation.  We  start  by  introducing  some  notation  that  is  used  in  our  security  definitions.  Let 
N  denote  the  set  of  positive  integers  {1, . . . ,  n}  where  n  denotes  the  arity  of  functions.  For  any 
two  sets  S  =  {so, . .  • ,  sis|}  and  I  =  {i\, . . .  ,«|/|}  such  that  |/|  <  |5|,  we  let  Si  denote  the  subset 
{sijigj  of  the  set  S.  Throughout  the  text,  we  use  the  vector  and  set  notation  interchangeably, 
as  per  convenience.  For  simplicity  of  notation,  we  omit  explicit  reference  to  auxiliary  input  to 
the  adversary  from  our  definitions. 
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2.2.1  Indistinguishability-based  Security 

Here  we  present  an  indistinguishability-based  security  definition  for  multi-input  FE. 

Intuition.  We  start  by  giving  an  overview  of  the  main  ideas  behind  our  indistinguishability- 
based  security  definition.  To  convey  the  core  ideas,  it  suffices  to  consider  the  case  of  2-ary 
functions.  We  will  assume  familiarity  with  the  security  definitions  for  single-input  FE. 

Let  us  start  by  considering  the  natural  extension  of  public-key  single-input  FE  to  the  two- 
input  setting.  That  is,  suppose  there  are  two  public  encryption  keys  EKi,  EK2  that  are  used 
to  create  ciphertexts  of  first  inputs  and  second  inputs,  respectively,  for  2-ary  functions.  Let 
us  investigate  what  security  can  be  achieved  for  one  pair  of  challenge  message  tuples  (x^xjj), 
( x\,x\ )  for  the  simplified  case  where  the  adversary  makes  secret  key  queries  after  receiving  the 
challenge  ciphertexts. 

Suppose  that  the  adversary  queries  secret  keys  for  functions  {/}.  Now,  recall  that  the  IND- 
security  definition  in  the  single-input  case  guarantees  that  an  adversary  cannot  differentiate 
between  encryptions  of  x°  and  x1  as  long  as  /(x°)  =  fix1)  for  every  f  £  {/}.  We  note, 
however,  that  an  analogous  security  guarantee  cannot  be  achieved  in  the  multi-input  setting. 
That  is,  restricting  the  functions  {/}  to  be  such  that  /(x?,  x°)  =  f(x\,xl)  is  not  enough  since 
an  adversary  who  knows  both  the  encryption  keys  can  create  its  own  ciphertexts  w.r.t.  each 
encryption  key.  Then,  by  using  the  secret  key  corresponding  to  function  /,  it  can  learn  additional 
values  {/(x’i,  •)}  and  {/(-,x 2)},  where  b  is  the  challenge  bit.  In  particular,  if,  for  example,  there 
exists  an  input  x*  such  that  f{x\,x*)  f(x{,x*),  then  the  adversary  can  learn  the  challenge 

bit  b !  Therefore,  we  must  enforce  additional  restrictions  on  the  query  functions  /.  Specifically, 
we  must  require  that  f{x\,x')  =  f(x\,x')  for  every  input  x'  in  the  domain  (and  similarly 
f(x',x °)  =  f{x',x\)).  Note  that  this  restriction  “grows”  with  the  arity  n  of  the  functions. 

Let  us  now  consider  the  secret-key  case,  where  all  the  encryption  keys  are  secret.  In  this 
case,  for  the  above  example,  it  suffices  to  require  that  /(xj,^)  =  /(x l,x^)  since  the  adversary 
cannot  create  its  own  ciphertexts.  Observe,  however,  that  when  there  are  multiple  challenge 
messages,  then  an  adversary  can  learn  function  evaluations  over  different  “combinations”  of 
challenge  messages.  In  particular,  if  there  are  q  challenge  messages  per  encryption  key,  then 
the  adversary  can  learn  q 2  output  values  for  every  f.  Then,  we  must  enforce  that  for  every 
i  €  [q2],  the  i’th  output  value  y °  when  challenge  bit  b  =  0  is  equal  to  the  output  value  y1  when 
the  challenge  bit  6=1. 

The  security  guarantees  in  the  public-key  and  the  secret-key  settings  as  discussed  above  are 
vastly  different.  In  general,  we  observe  that  the  more  the  number  of  encryption  keys  that  are 
public,  the  smaller  the  class  of  functions  that  can  be  supported  by  the  definition.  Bellow,  we 
present  a  unified  definition  that  simultaneously  captures  the  extreme  cases  of  public-key  and 
secret-key  settings  as  well  as  all  the  “in  between”  cases. 


Compatible  Functions  and  Input  Plaintexts.  To  facilitate  the  presentation  of  our 
I N  D  security  definition,  we  first  introduce  the  following  notion: 

Definition  2  (I-Compatibility).  Let  {/}  be  any  set  of  functions  f  £  Ty- .  Let  N  =  {l,...,n} 
and  I  C  N.  Let  X°  and  X1  be  a  pair  of  input  vectors,  where  Xb  =  {x^  j,  ■ ■  ■ ,  x^  We  say 

that  T  and  ( X °,X1)  are  I-compatible  if  they  satisfy  the  following  property: 

•  For  every  f  £  {/},  every  T  =  C  IU0,  every  j1: ...  ,jn_t  £  [q],  and  every 

Xi1 )  •  •  •  5  Xit  £  Xfc, 


T  •  T  ■ 


=  /  {(xLi 


x1 


where  { y ^ ,  yin)  denotes  a  permutation  of  the  values  yi1 , . . . ,  yin  such  that  the  value  yi . 
is  mapped  to  the  i’th  location  if  yi .  is  the  t’th  input  (out  of  n  inputs)  to  f. 
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I N  D-secure  MI-FE.  Our  security  definition  is  parameterized  by  two  variables  t  and  q ,  where 
t  denotes  the  number  of  encryption  keys  known  to  the  adversary,  and  q  denotes  the  number  of 
challenge  messages  per  encryption  key.  Thus,  in  total,  the  adversary  is  allowed  to  make  Q  =  q-n 
number  of  challenge  message  queries.  We  are  now  ready  to  present  our  formal  definition  for 
(f,  g)-IN D-secure  multi-input  functional  encryption. 

Definition  3  (Indistinguishability-based  security).  We  say  that  a  multi-input  functional  en¬ 
cryption  scheme  J-E  for  for  n-ary  functions  J-  is  (t,  <7)-!  N  D-secure  if  for  every  PPT  adversary 
A  =  (Aq,Ai,A2),  the  advantage  of  A  defined  as 


Adv 


JF£,IND 

A 


(lfc) 


Pr[IND^(lfe)  =  1]  -  \ 


is  negl(/c),  where: 

Experiment  INDj"  (l^): 

(I,  st0)  <—  A0(lk)  where  |I|  =  t 

(EK,  MSK)  <-  FE.Setup(lfc) 

(^.^Ssti)  <-  ^iE  Keysen(MSK’  )(st0,  EKi)  where  Xe  =  {x{j, . . .  ,xenJ}^=1 
b  <-  {0, 1}  ;  CT id  <-  FE.Enc(EKj,  x\^)  V*  £  [n],  j  £  [q\ 

b'  £-  yt2E  Keygen(MSK’  )(Stl,  CT) 

Output:  (6  =  b') 

In  the  above  experiment,  we  inquire: 

•  Let  {/}  denote  the  entire  set  of  key  queries  made  by  A±.  Then,  the  challenge  message 
vectors  Xq  and  A'i  chosen  by  Ai  must  be  1-compatible  with  {/}. 

•  The  key  queries  {g}  made  by  A2  must  be  1-compatible  with  X°  and  X1 . 

Selective  Security.  We  also  consider  selective  indistinguishability-ba,sed  security  for  multi¬ 
input  functional  encryption.  Formally,  (f,  g)-sel-IND-security  is  defined  in  the  same  manner  as 
DefinitionJiJ  except  that  the  adversary  Ai  is  required  to  choose  the  challenge  message  vectors  A0, 
A'1  before  the  evaluation  keys  EK  and  the  master  secret  key  MSK  are  chosen  by  the  challenger. 
We  omit  the  formal  definition  to  avoid  repetition. 

2.2.2  Simulation-based  Security 

Here  we  present  a  simulation-based  security  definition  for  multi-input  FE.  We  consider  the  case 
where  the  adversary  makes  key  queries  after  choosing  the  challenge  messages.  That  is,  we  only 
consider  adaptive  key  queries.  The  “opposite”  case  where  the  adversary  makes  key  queries  before 
choosing  the  challenge  messages  (i..e,  non- adaptive  key  queries)  is  discussed  in  Section |P| 

Our  definition  extends  the  simulation-based  security  definition  for  single-input  FE  that  sup¬ 
ports  adaptive  key  queries [BSW111  lO’NIOl  IBQ131  ICIJ+13|.  In  particular,  we  present  a  general 
definition  that  models  both  black-box  and  non-black-box  simulation. 

Intuition.  We  start  by  giving  an  overview  of  the  main  ideas  behind  our  simulation-based 
security  definition.  To  convey  the  core  ideas,  it  suffices  to  consider  the  case  of  2-ary  functions. 
Let  us  start  by  considering  the  natural  extension  of  public-key  single-input  FE  to  the  two-input 
setting.  That  is,  suppose  there  are  two  public  encryption  keys  EKi,  EK2  that  are  used  to  create 
ciphertexts  of  first  inputs  and  second  inputs,  respectively,  for  2-ary  functions.  Let  us  investigate 
what  security  can  be  achieved  for  one  challenge  message  tuple  (ay,  £2). 
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Suppose  that  the  adversary  queries  secret  keys  for  functions  {/}.  Now,  recall  that  the  SIM- 
security  definition  in  the  single-input  case  guarantees  that  for  every  /  G  {/},  an  adversary  cannot 
learn  more  than  f(x)  when  x  is  the  challenge  message.  We  note,  however,  that  an  analogous 
security  guarantee  cannot  be  achieved  in  the  multi-input  setting.  Indeed,  an  adversary  who 
knows  both  the  encryption  keys  can  create  its  own  ciphertexts  w.r.t.  each  encryption  key.  Then, 
by  using  the  secret  key  corresponding  to  function  /,  it  can  learn  additional  values  {f(x  1,  •)}  and 
{/(•>  #2)}-  Thus,  we  must  allow  for  the  ideal  world  adversary,  aka  simulator,  to  learn  the  same 
information. 

In  the  secret-key  case,  however,  since  all  of  the  encryption  keys  are  secret,  the  SIM-security 
definition  for  single-input  FE  indeed  extends  in  a  natural  manner  to  the  multi-input  setting.  We 
stress,  however,  that  when  there  are  multiple  challenge  messages,  we  must  take  into  account  the 
fact  that  adversary  can  learn  function  evaluations  over  all  possible  “combinations”  of  challenge 
messages.  Our  definition  presented  below  formalizes  this  intuition. 

SIM-secure  MI-FE.  Similar  to  the  I N  D-security  case,  our  definition  is  parameterized  by 
variables  t  and  q  as  defined  earlier.  We  now  formally  define  (t,  gj-SIM-secure  multi-input  func¬ 
tional  encryption. 

Definition  4  (Simulation-based  Security).  We  say  that  a  functional  encryption  scheme  TZ  for 
n-ary  functions  T  is  (t,  q)-SIM-secure  if  for  every  PPT  adversary  A  =  (Aq,  A\,  A2),  there  exists 
a  PPT  simulator  S  =  (Sq,Si,S2)  such  that  the  outputs  of  the  following  two  experiments  are 
computationally  indistinguishable: 


Experiment  REAL^£(lfc): 

Experiment  IDEAL^ (lfc): 

(I,  sto)  A0{lk)  where  I  =  t 

(I,  sto)  t—  d>o(lfc) 

(EK,  MSK)  4—  FE.Setup(lfe) 

(M,  Sti)  G-  5!  (sto) 

(■Ad,  stx)  •<—  dli (sto,  EKj) 

Q^5JP(Wv)(sti) 

X  4—  M.  where  X  =  {riy, . . . ,  xnj}j_i 

Output:  (I ,M,X,{g},a) 

CT ij  <-  FE.Enc(EKj,  Xij)  Vi  G  [n],  j  G  [q] 

a^4EKeysen(MSK'-)(C T,stl) 

Output:  (I, M,X,{f},a) 

where  the  oracle  TP(Af ,  •,  •)  denotes  the  ideal  world  trusted  party,  {/}  denotes  the  set  of  queries 
of  A2  to  FE. Keygen  and  {g}  denotes  the  set  of  functions  appearing  in  the  queries  of  S2  to 
TP.  Given  the  message  distribution  A4,  TP  first  samples  a  message  vector  X  <—  M,  where 
X  =  {xij, . . .  ,Xn}jY]=l.  It  then  accepts  queries  of  the  form  [g,  (ji,  •  •  •  ,jn-P) ,  (x'^,  ■  ■  ■  ,2:^)) 
where  p  <t,  {i[, . . . ,  i'p}  C  I  U  0  and  x\, , . . . ,  x\,  G  Xj..  On  receiving  such  a  query,  TP  outputs: 
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where  (■ y q, . . . ,  yin)  denotes  a  permutation  of  the  values  yilr. ..  ,yin  such  that  the  value  ■yij  is 
mapped  to  the  t’th  location  if  y%,  is  the  Vth  input  (out  of  n  inputs)  to  g. 

Remark  5  (On  Queries  to  the  Trusted  Party).  Note  that  when  t  =  0,  then  given  the  challenge  ci¬ 
phertexts  CT,  intuitively,  the  real  adversary  can  only  compute  values  FE.Dec  (SK /,  CT iji: . . . ,  CT„; 
for  every  ji  €  [q],  i  G  [n] .  To  formalize  the  intuition  that  this  adversary  does  not  learn  anything 
more  than  function  values  {/  (xij1 , . . . ,  xntjn)}>  we  restrict  the  ideal  adversary  aka  simulator  to 
learn  exactly  this  information. 
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However,  when  t  >  0,  then  the  real  adversary  can  compute  values: 


FE.Dec  (SKf,  (cTiujl,. . . ,  CTin_ujn_t,  CT',, . . . ,  CT',)) 

for  ciphertexts  CT'^  of  its  choice  since  it  knows  the  encryption  keys  EKi.  In  other  words,  such 
an  adversary  can  learn  function  values  of  the  form  f  (( Xi1j1 ,  ■  ■  ■ ,  xin_tjn_t,  Thus,  we 

must  provide  the  same  ability  to  the  simulator  as  well.  Our  definition  presented  above  precisely 
captures  this. 

Selective  Security.  We  also  consider  selective  simulation-based  security  for  multi-input 
functional  encryption.  Formally,  (t,  <?)-sel-SIM-security  is  defined  in  the  same  manner  as  Defini¬ 
tion  |4j  except  that  in  the  real  world  experiment,  adversary  A\  chooses  the  message  distribution 
At  before  the  evaluation  keys  EK  and  the  master  secret  key  MSK  are  chosen  by  the  challenger. 
We  omit  the  formal  definition  to  avoid  repetition. 

Remark  6  (SIM-security:  Secret-key  setting).  When  t  =  0,  none  of  the  encryption  keys  are 
known  to  the  adversary.  In  this  “secret-key”  setting,  there  is  no  difference  between  (0, <7)-sel-SIM- 
security  and  (0,  g)-SIM- security. 

3  Preliminaries 

Here  we  present  definitions  of  various  cryptographic  primitives  that  are  used  in  our  construction 
of  multi-input  functional  encryption.  We  assume  familiarity  with  standard  semantically-secure 
public-key  encryption  and  omit  its  formal  definition  from  this  text.  Below,  we  recall  the  notions 
of  indistinguishability  obfuscation,  non-interactive  witness  indistinguishable  proof  systems  and 
perfectly  binding  commitment  schemes. 

3.1  Indistinguishability  Obfuscation 

Here  we  recall  the  notion  of  indistinguishability  obfuscation  that  was  defined  by  Barak  et  al. 
[BGT+Olj.  Intuitively  speaking,  we  require  that  for  any  two  circuits  C\  and  C2  that  are  “func¬ 
tionally  equivalent”  (i.e.,  for  all  inputs  x  in  the  domain,  C\{x)  =  C^ix)),  the  obfuscation  of  C 1 
must  be  computationally  indistinguishable  from  the  obfuscation  of  C '2.  Below  we  present  the 
formal  definition  following  the  syntax  of  |GGH+13aj. 

Definition  7  (Indistinguishability  Obfuscation).  A  uniform  PPT  machine  iO  is  called  an  in¬ 
distinguishability  obfuscator  for  a  circuit  class  {Ck}  if  the  following  holds: 

•  Correctness:  For  every  k  GN,  for  every  C  G  Ck,  for  every  input  x  in  the  domain  of  C, 
we  have  that 

Pr [C'{x)  =  C{x)  :  C  G-  iO{C)}  =  1. 

•  Indistinguishability:  For  every  k  G  N,  for  all  pairs  of  circuits  Cq,C\  G  Ck,  if  Co (x)  = 
C\{x)  for  all  inputs  x,  then  for  all  PPT  adversaries  A,  we  have: 

\Vv[A{iO{Co))  =  1]  -  Pr^iO^r))  =  1]|  <  negl(fc). 

Very  recently,  Garg  et  al.  [GGH+13a|  gave  the  first  candidate  construction  for  an  indistin¬ 
guishability  obfuscator  iO  for  the  circuit  class  P/poly.  ADD. 
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Differing-Inputs  Obfuscation.  We  also  consider  a  stronger  notion  of  indistinguishability 
obfuscation,  namely,  differing-inputs  obfuscation  that  was  proposed  by  Barak  et  al  lBGI+0l]. 
Intuitively  speaking,  we  require  that  for  any  two  circuits  C\  and  C2  that  “appear”  to  be  func¬ 
tionally  equivalent  to  every  PPT  algorithm  (i.e.,  no  PPT  algorithm  can  find  an  input  x  s.t. 
C\(x)  C2(a;)),  the  obfuscation  of  Ci  must  be  computationally  indistinguishable  from  the 
obfuscation  of  C2.  Alternatively,  if  a  PPT  algorithm  can  distinguish  obfuscation  of  C\  from 
obfuscation  of  C2,  then  we  can  efficiently  find  an  input  x  s.t.  Ci(x)  7^  C2 ( x ) . 

Below,  we  present  the  formal  definition.  We  follow  the  formalism  of  [ABG+13|. 

We  start  by  defining  the  notion  of  differing-inputs  circuit  family.  Intuitively,  a  circuit  family 
is  said  to  be  a  differing-inputs  circuits  family  if  there  does  not  exist  any  PPT  adversary  that 
given  two  circuits,  that  are  sampled  from  a  distribution  defined  on  this  circuit  family,  can  find 
an  input  x  such  that  both  the  circuits  yield  different  outputs  on  x. 

Definition  8  (Differing-inputs  Circuit  Family).  A  circuit  family  C  associated  with  a  sampler 
Sampler  is  said  to  be  a  differing-inputs  circuit  family  if  for  every  PPT  adversary  A,  there  exists 
a  negligible  function  negl(-)  such  that: 

Pr  \Cq{x)  7^  Ci (a:)  |  (C0,  C1:  z)  £-  Sampler(lfc);  x  £-  A  (lfc,  C0,  Clt  z)]  <  negl (k) 

Definition  9  (Differing-inputs  Obfuscator).  A  PPT  machine  diG  is  called  a  differing-inputs 
obfuscator  for  a  differing-inputs  circuits  family  C  =  {Ct,}  if  the  following  conditions  are  satisfied: 

•  Correctness:  For  all  security  parameters  k  £  N,  for  all  C  £  C,  for  all  inputs  x,  we  have 
that: 

Pr[C"(:r)  =  C{x)  |  C'  £-  diO(lfe,C)]  =  1 

•  Differing-inputs:  For  any  PPT  adversary  A,  there  exists  a  negligible  function  negl(-) 
such  that  the  following  holds:  For  all  security  parameters  k  £  N,  for  (Cq,Ci,  z)  £- 
Sampler(lfe),  we  have  that: 

|Pr  [A  (did  (Ci))  =  1]  -  Pr  [A  (diO  (C2))  =  1]|  <  negl(fc). 

3.2  Non-Interactive  Proof  Systems 

In  this  section,  we  recall  various  security  notions  for  non-interactive  proof  systems.  We  start 
by  giving  the  syntax  and  formal  definition  of  a  non-interactive  proof  system.  Next,  we  give 
the  definition  of  non-interactive  witness-indistinguishable  proofs  (NIWI).  Finally,  we  give  the 
definition  of  non-interactive  zero-knowledge  (NIZK),  with  simulation-soundness  property. 

Syntax.  Let  R  be  an  efficiently  computable  relation  that  consists  of  pairs  (x,w),  where  x  is 
called  the  statement  and  w  is  the  witness.  Let  L  denote  the  language  consisting  of  statements 
in  R.  A  non- interactive  proof  system  for  a  language  L  consists  of  a  setup  algorithm  CRSGen,  a 
prover  algorithm  Prove  and  a  verifier  algorithm  Verify,  defined  as  follows: 

•  Setup  CRSGen  (lfc)  is  a  PPT  algorithm  that  takes  as  input  the  security  parameter  k  and 
outputs  a  common  reference  string  crs. 

•  Prover  Prove(crs,  x,  w )  is  a  PPT  algorithm  that  takes  as  input  the  common  reference 
string  CRS ,  a  statement  x  along  with  a  witness  w.  ( x,w )  £  R\  if  so,  it  produces  a  proof 
string  7r,  else  it  outputs  fail. 

•  Verifier  Verify(crs,  x,  tt)  is  a  PPT  algorithm  that  takes  as  input  the  common  reference 
string  crs  and  a  statement  x  with  a  corresponding  proof  7 r.  It  outputs  1  if  the  proof  is 
valid,  and  0  otherwise. 
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Definition  10  (Non-interactive  Proof  System).  A  non-interactive  proof  system  for  a  language 
L  with  a  PPT  relation  R  is  a  tuple  of  algorithms  (CRSGen,  Prove,  Verify)  such  that  the  following 
properties  hold: 

•  Perfect  Completeness:  For  every  ( x ,  w)  £  R,  it  holds  that 

Pr[Verify(crs,  x,  Prove(crs,  x,  w))  =  1]  =  1 

where  crs  ■£-  CRSGen(lfc),  and  the  probability  is  taken  over  the  coins  of  CRSGen,  Prove  and 
Verify. 

•  Statistical  Soundness:  For  every  adversary  A,  it  holds  that 

Pr[Verify(crs,  x,  it)  =  1  A  x  ^  L  |  crs  «—  CRSGen(lfe);  (x,  tv)  4-  M(crs)]  =  negl(fc) 


If  the  soundness  property  only  holds  against  PPT  adversaries,  then  we  call  it  an  argument 
system. 

Definition  11  (NIWI).  We  say  that  a  non-interactive  proof  system  (CRSGen,  Prove,  Verify)  for 
a  language  L  with  a  PPT  relation  R  is  witness-indistinguishable  if  for  any  triplet  (x,  Wq,  Wi)  such 
that  {x,  wq)  £  R  and  (x,  w i)  €  R,  the  distributions  {crs,  Prove(crs,  x,  wo)}  cmd  {crs,  Prove(crs,  x,  w\ 
are  computationally  indistinguishable,  where  crs  -s—  CRSGen(lfc). 

Definition  12  (NIZK).  A  non-interactive  proof  system  (CRSGen,  Prove,  Verify)  for  a  language 
L  with  a  PPT  relation  R  is  said  to  be  zero  knowledge  if  there  exists  a  simulator  Sim  = 
(Sim. CRSGen,  Sim. Prove)  such  that  for  all  PPT  adversaries  A, 

Pr  [_4Prove(crs,v)  (crs)  =  i  |  crs  <-  CRSGen  (lfc)] 

-  Pr  [^(crs.r,-,-)  (crs)  =  I  |  (crS)  T )  Sim. CRSGen  (lfe)]  ~  neg"k> 


where  S(crs,r,x,w)  =  Sim.Prove(crs,  r,  x)  if  (x,w)  £  R  and  outputs  fail  otherwise. 

Definition  13  (Simulation  soundness).  A  NIZK  proof  system  (CRSGen,  Prove,  Verify)  for  a  lan¬ 
guage  L  with  a  PPT  relation  R  is  said  to  be  simulation  sound  if  for  all  PPT  adversaries, 


Pr 


(x*,  7T*)  <-  ^Sim.Prove(crs ,r,-)  (crs)  A  x*  L 

A  1  4—  Verify  (crs,  a;*,  7r*)  |  (crs,  r)  •<— Sim. CRSGen  (lfe) 


negl(fc) 


where  x*  is  not  in  the  list  of  queries  made  by  A  to  Sim. Prove. 


3.3  Commitment  Schemes 

A  commitment  scheme  Com  is  a  PPT  algorithm  that  takes  as  input  a  string  x  and  randomness  r 
and  outputs  c  £-  Com(x;  r).  A  perfectly  binding  commitment  scheme  must  satisfy  the  following 
properties: 

•  Perfectly  Binding:  This  property  states  that  two  different  strings  cannot  have  the  same 
commitment.  More  formally,  \/xi  yf  X2  and  ry,^,  Com(a;i;ri)  yf  Com^;  ?'2)- 

•  Computational  Hiding:  For  all  strings  Xq  and  X\  (of  the  same  length),  for  all  PPT 
adversaries  A,  we  have  that: 

|  Pr[Ai(Com(a:o))  =  1]  -  Pr[Ai(Com(a;i))  =  1)]|  <  negl(fc). 

We  note  that  it  is  in  fact  sufficient  to  use  a  standard  2-round  statistically  binding  scheme 
in  our  construction  in  Section  [4j  Note  that  such  a  commitment  scheme  can  be  based  on  one 
way  functions.  For  simplicitly  of  exposition,  however,  we  will  present  our  construction  using  a 
non-interactive  perfectly  binding  scheme. 
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4  A  Construction  from  Indistinguishability  Obfuscation 

Let  T  denote  the  family  of  all  efficiently  computable  (deterministic)  n-ary  functions.  We  now 
present  a  functional  encryption  scheme  TE  \  for  T .  Assuming  the  existence  of  one-way  functions 
and  indistinguishability  obfuscation  for  all  efficiently  computable  circuits,  we  prove  the  following 
security  guarantees  for  TE\\ 

1.  For  t  =  0,  and  any  q  =  q{k)  such  that  =  poly(fc),  TE\  is  (0,  <7)-SIM-securej^]  In  this 
case,  the  size  of  the  secret  keys  in  TE\  grows  linearly  with  (9"j. 

2.  For  any  t  <  n  and  q  =  poly (fc) ,  TE \  is  [t,  <7)-sel-IND-secure.  In  this  case,  the  size  of  the 
secret  keys  is  independent  of  q. 

Further,  the  size  of  each  encryption  key  and  ciphertext  in  TE\  grows  linearly  with  q.  In 
Section  [5j  we  give  an  efficient  construction  with  “compact”  encryption  keys  and  ciphertexts, 
whose  security  is  proven  in  the  standard  model. 


Notation.  Let  (CRSGen,  Prove,  Verify)  be  a  NIWI  proof  system.  Let  Com  denote  a  perfectly 
binding  commitment  scheme.  Let  iO  denote  an  indistinguishability  obfuscator.  Finally,  let 
PKE  =  (PKE. Setup,  PKE.Enc,  PKE.Dec)  be  a  semantically  secure  public-key  encryption  scheme. 
(See  Section  [3]  for  definitions  of  these  notions.)  We  denote  the  length  of  ciphertexts  in  PKE  by 
c-len  =  c-len(fc).  Let  len  =  2  •  c-len. 

We  now  proceed  to  describe  our  scheme  TE\  =  (FE. Setup,  FE.Enc,  FE. Keygen,  FE.Dec). 


Setup  FE.Setup(lfc):  The  setup  algorithm  first  computes  a  CRS  crs  4—  CRSGen(lfe)  for 
the  NIWI  proof  system.  Next,  it  computes  two  key  pairs  -  (pk1;ski)  4—  PKE.Setup(lfe)  and 
(pk2,sk2)  4—  PKE.Setup(lfe)  -  of  the  public-key  encryption  scheme  PKE.  Finally,  it  computes 
the  following  commitments:  (a)  Z\3  4—  Com(0len)  for  every  i  £  [n\,  j  £  [<?].  (b)  Z\  4—  Com(0) 
for  every  i  £  [n\. 

For  every  i  £  [n],  the  z’th  encryption  key  EK,  =  ^crs,  pkl5  pk2,  ^Z[’3  j  ,  Z\,  r^j  where  r2 
is  the  randomness  used  to  compute  the  commitment  ZA.  The  master  secret  key  is  set  to  be 
MSK  =  ^crs,  pkx,  pk2 ,  ski ,  ,  {Z^}^  ■  The  setup  algorithm  outputs  (EKi, ....  EK„,  MSK). 


Encryption  FE.Enc(EKj,  x ):  To  encrypt  a  message  x  with  the  i’th  encryption  key  EKj,  the 
encryption  algorithm  first  computes  c\  ■£-  PKE.Enc(pk1; x)  and  C2  4—  PKE.Enc(pk2, x).  Next,  it 

computes  a  NIWI  proof  7r  Prove(crs,  y,  w)  for  the  statement  y  =  ^ci,  C2,  pk:,  pk2,  ,  Z^j  : 

•  Either  c\  and  C2  are  encryptions  of  the  same  message  and  Z\  is  a  commitment  to  0,  or 

•  3  j  £  [q]  s.t.  Z[’J  is  a  commitment  to  ci||c2- 

A  witness  wrea\  =  (to,  si,S2,7"2)  for  the  first  part  of  the  statement,  referred  to  as  the  real 
witness,  includes  the  message  to  and  the  randomness  Si  and  S2  used  to  compute  the  ciphertexts 
Ci  and  C2,  respectively,  and  the  randomness  r2  used  to  compute  Z\.  A  witness  wtrap  =  (j,r ',{3) 
for  the  second  part  of  the  statement,  referred  to  as  the  trapdoor  witness,  includes  an  index  j 
and  the  randomness  used  to  compute  Z\3 . 

The  honest  encryption  algorithm  uses  the  real  witness  wreai  to  compute  tt.  The  output  of 
the  algorithm  is  the  ciphertext  CT  =  (ci ,  C2 ,  tt)  . 


2Recall  that  when  t  =  0,  there  is  no  difference  between  selective  security  and  standard  security  as  defined 
See  Remark  [6] 


Section 


2.2.2 
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Key  Generation  FE.Keygen(MSK,  /):  The  key  generation  algorithm  on  input  /  computes 
SK f  4—  iO(Gf)  where  the  function  Gy  is  defined  in  Figure]!]  Note  that  Gy  has  the  master  secret 
key  MSK  hardwired  in  its  description. 


Gy  (CT CT n) 

1.  For  every  i  £  [n\. 

(a)  Parse  CT,  =  (cyi,cij2,7ri). 

(b)  Let  yi  =  ,  cy 2 1  pkj,  pk2,  |  be  the  statement  corresponding  to  the  proof  string 

7 r,.  If  Verify(crs,  7/,,  7r,)  =  0,  then  stop  and  output  _L.  Otherwise,  continue  to  the  next  step. 

(c)  Compute  Xi  <-  PKE.Dec(ski, cyp). 

2.  Output  f(xi, ...  ,xn). 


Figure  1:  Functionality  Gy 


The  algorithm  outputs  SKy  as  the  secret  key  for  /. 


Size  of  Function  Gy.  In  order  to  prove  that  TE\  is  (0,  q,)-SIM-secure  (see  Section  4.2),  we  require 
the  function  Gy  to  be  padded  with  zeros  such  that  | Gy |  =  | Sim . Gy | ,  where  the  “simulated” 
functionality  Sim. Gy  is  described  later  in  Figure [2]  In  this  case,  the  size  of  SK;'  grows  linearly 
with  («”). 

Note,  however,  that  such  a  padding  is  not  necessary  to  prove  (t,  g)-sel-IND-security  for  T£\ 


(see  Section  4.1).  Indeed,  in  this  case,  the  secret  keys  SKy  are  independent  of  the  number  of 
message  queries  q  made  by  the  adversary. 


Decryption  FE.Dec(SKy,  CTy, . . . ,  CTn):  The  decryption  algorithm  on  input  (CTi, . . . ,  CTn) 
computes  and  outputs  SKy(CTi, . . . ,  CT„). 


This  completes  the  description  of  the  proposed  functional  encryption  scheme  T£\.  The 
correctness  property  of  the  scheme  follows  from  inspection.  We  prove  sel-IND  security  for  T£\ 


in  Section |4~l|  and  then  prove  SIM  security  in  Section  4.2 


4.1  Proving  sel-IND  Security 

We  now  prove  that  the  proposed  scheme  T£\  is  (f,  g)-sel-IND-secure  for  any  t  <  n. 

Theorem  14.  Let  q  =  q{k)  be  a  fixed  poly(/c).  Then,  assuming  indistinguishability  obfuscation 
for  all  polynomial-time  computable  circuits  and  one-way  functions,  the  proposed  scheme  FE\  is 
(t,  g) -sel-IND  -secure  for  any  t  <  n. 

We  prove  the  above  theorem  via  a  hybrid  argument.  We  start  by  describing  a  sequence  of 
hybrid  experiments  Ho, . .  • ,  Hio,  where  experiment  Ho  (resp.,  Hio)  corresponds  to  the  real  world 
experiment  with  challenge  bit  b  =  0  (resp.,  b  =  1).  We  will  prove  that  for  every  i,  the  outputs 
of  experiments  H,  and  Hi+1  are  computationally  indistinguishable. 


Hybrid  H0:  This  is  the  real  experiment  with  challenge  bit  b  =  0. 


Hybrid  Hy:  This  experiment  is  the  same  as  Ho  except  that  the  setup  algorithm  computes  the 
commitments  { Zf  J }  in  the  following  manner:  let  the  challenge  ciphertext  CT yy  =  {c\J , 

Then,  Z1^  Gom{c^\\c^). 
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Hybrid  H2:  This  experiment  is  the  same  as  Hi  except  that  in  every  challenge  ciphertext 
CTitj  —  (<&f  ,&f  the  proof  string  it1’0  is  computed  using  the  trapdoor  witness. 

Hybrid  H3:  This  experiment  is  the  same  as  H2  except  that  for  every  i  £  N  \  I  (where  I 
denotes  the  set  of  indices  i  s.t.  EK,  is  known  to  the  adversary)  the  setup  algorithm  computes 
Z\  as  a  commitment  to  1  (instead  of  0).  That  is,  for  every  i  £  [n],  Z\  £-  Com(l). 

Hybrid  H4:  This  experiment  is  the  same  as  H3  except  that  in  every  challenge  ciphertext 
CT  itj  =  (cf  ,clf  jit1’3),  the  second  ciphertext  elf  is  computed  as  an  encryption  of  the  challenge 
message  x)3  (as  opposed  to  x®f),  i.e.,  cf  <-  FE.Enc(EK  i,xjf. 

Hybrid  H5:  This  experiment  is  the  same  as  H4  except  that  for  every  key  query  /,  the 
corresponding  secret  key  SK/  is  computed  as  SK /  iO( G'f)  where  G /  is  the  same  as  the 

function  G /  except  that: 

1.  It  has  secret  key  sk2  hardwired  instead  of  ski. 

2.  It  decrypts  the  second  component  of  each  input  ciphertext  using  sk2.  More  concretely,  in 
step  1(c),  plaintext  f  is  computed  as  x\  <—  PKE.Dec(sk2,  Cjj2). 

Hybrid  H6:  This  experiment  is  the  same  as  H5  except  that  in  every  challenge  ciphertext 
CT  itj  =  (cf ,  Sf ,  Ttz’3),  the  first  ciphertext  cf  is  an  encryption  of  challenge  message  xjj  (as 
opposed  to  x°f,  i.e.,  cf  <-  FE.Enc(EK,,  x\f. 

Hybrid  H7:  This  experiment  is  the  same  as  Hg  except  that  for  every  key  query  /,  the 
corresponding  secret  key  SK/  is  computed  as  SK/ 

Hybrid  H8:  This  experiment  is  the  same  as  H7  except  that  the  setup  algorithm  computes 
every  Z\  as  a  commitment  to  0,  i.e.,  Z\  -f-  Com(0). 

Hybrid  H9:  This  experiment  is  the  same  as  Hg  except  that  in  every  challenge  ciphertext 
CT  ij  =  (cf  ,clf ,  tt1’3),  the  proof  string  7 is  computed  using  the  real  witness. 

Hybrid  H10:  This  experiment  is  the  same  as  Hg  except  that  the  setup  algorithm  computes 
every  Zf  as  a  commitment  to  the  all  zeros  string,  i.e.,  Zf  £-  Com(0len).  Note  that  this  is  the 
real  experiment  with  challenge  bit  6=1. 

This  completes  the  description  of  the  hybrids.  We  argue  their  indistinguishability  in  Ap¬ 
pendix  [A] 

4.2  Proving  SIM  Security 

Here  we  prove  that  the  proposed  scheme  TE\  is  (0,  <?)-SIM-secure. 

Theorem  15.  Let  q  =  q(k )  be  such  that  (9")  =  poly(fc).  Then,  assuming  indistinguishability 
obfuscation  for  all  polynomial-time  computable  circuits  and  one-way  functions,  the  proposed 
scheme  TT\  is  (0,  q) -SIM -secure. 

In  order  to  prove  the  above  theorem,  we  first  construct  an  ideal  world  adversary  aka  simulator 
S.  Then,  in  Appendix[B]  we  prove  indistinguishability  of  the  outputs  of  the  real  and  ideal  world 
experiments  via  a  hybrid  argument. 
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Simulator  S.  We  describe  a  simulator  S  =  (So,  Si,  £2)  ttia,t  only  makes  black-box  use  of  a 
real-world  adversary  A  =  (Aq,Ai,A2)- 

Algorithm  So-  Let  z  be  the  auxiliary  input  given  to  S.  Algorithm  So  simply  runs  Ao  with 
auxiliary  input  z  and  outputs  (I,  sto)  4—  Ao(lk,  z).  Since  we  are  only  considering  the  case  where 
t  =  0,  we  have  that  1  =  0. 

Algorithm  Si.  Algorithm  Si  simply  runs  A\  on  input  sto  and  outputs  (Al,sti)  i—  _4o(st0). 

Algorithm  S2.  This  algorithm  runs  the  adversary  algorithm  A2  on  simulated  ciphertexts  and 
provides  simulated  answers  to  the  key  queries  made  by  Ai-  More  concretely,  S2  runs  in  the 
following  sequence  of  steps: 

1.  Simulate  Setup.  S2  first  performs  a  simulated  setup  procedure.  Namely,  it  first  computes 

a  CRS  crs  <—  CRSGen(lfc)  for  the  NIWI  proof  system.  Next,  it  computes  two  key  pairs  - 
(pk^ski)  4—  PKE.Setup(lfc)  and  (pk2,sk2)  4—  PKE.Setup(lfc)  -  of  the  public-key  encryption 
scheme  PKE.  Finally,  it  computes  the  commitments  {Z\3 }  and  {Z2}  in  the  following 
manner: 

•  For  every  i  £  [n],  j  £  [g]:  (a)  Compute  c{3  and  c.f  as  encryptions  of  zeros,  i.e. ,  c\'J  4— 
PKE.Enc(pk1, 0)  and  elf  4—  PKE.Enc(pk2, 0).  (b)  Compute  Z \’3  4—  Com(ciJ'||c^’J").  Let 
rf  be  the  randomness  used  to  compute  Zf .. 

•  For  every  i  £  [n],  compute  Z\  as  a  commitment  to  1,  i.e.,  Z\  4—  Com(l). 

Let  MSK  =  ^crs,  pk1;  pk2,  ski,  |-^i'7| ,  {^2})  ■ 

2.  Simulate  Challenge  Ciphertexts.  S2  now  computes  simulated  challenge  ciphertexts  CT  = 

{CT ij, . . . ,  CT nj}j—i  in  the  following  manner.  For  every  i  £  [n],  j  £  [g]: 

•  Let  yij  =  pk1;  pk2,  {Z^1 },  Z\).  Compute  the  proof  7 r,  4—  Prove(crs, 

where  the  witness  Wij  corresponds  to  the  trapdoor  witness  (j,  r\3).  That  is,  Re¬ 
establishes  that  Zl{°  is  a  commitment  to  c^Wc^3 ■ 

•  The  simulated  ciphertext  CTjj  =  (c\J ,  c^3 , 

3.  Simulate  Key  Queries.  Finally,  S2  runs  the  adversary  algorithm  A 2  on  input  (CT,sti). 

Recall  from  Definition  [4]  that  A2  also  makes  queries  to  the  key  generation  oracle.  S2 
simulates  responses  to  ^’s  key  queries  in  the  following  manner.  Let  TP  denote  the  ideal 
world  trusted  party  that  given  the  message  distribution  At  (output  by  S2)  first  samples 
X  4—  M,  where  X  =  {x±j, . . . ,  xn,j}j=i-  When  A2  makes  a  key  query  /,  S2  performs  the 
following  sequence  of  steps: 

•  Query  the  trusted  party  TP  on  function  (/,  j\ , . . .  ,jn)  for  every  choice  of  .71 ,  •  •  ■  An  G 
[g] .  The  trusted  party  computes  and  returns  the  function  outputs  out[ji, . . . ,  jn]  = 
f(xi,ji>  ■  ■  ■  ixn,jn}  to  iS>2-  Let  out  denote  the  vector  of  all  the  (®)  number  of  outputs. 

•  Compute  the  secret  key  SK j-  for  function  /  as  S1Q  4—  ^(Sim.Gy).  The  functionality 
Sim.G/  has  the  master  secret  key  MSK,  the  challenge  ciphertext  pairs  {&{3 i&j3}  and 
the  outputs  out  hardwired  in  it.  It  is  described  in  Figure  [2J 

•  Return  SK^-  to  A2- 

Finally,  at  some  point  A2  outputs  its  view  a.  S2  outputs  a  and  stops. 

In  Appendix[B]  we  prove  indistinguishability  of  the  outputs  of  the  real  and  ideal  experiments. 

5  A  Construction  from  Differing-Inputs  Obfuscation 

Let  T  denote  the  family  of  all  efficiently  computable  (deterministic)  n-ary  functions.  We  now 
present  a  new  functional  encryption  scheme  TZ\\  for  T  based  on  differing-inputs  obfuscation. 
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Sim.G/(CTi, . . . ,  CT„) 

1.  For  every  i  £  [«]: 

•  Parse  CT,  =  (c^i,  cii2, 71-j). 

•  Let  yi  =  (cit  1,  c,;.2-  pk1;  pk2,  ,  Z^j  be  the  statement  corresponding  to  the  proof  string 

7Tj.  If  Verify(crs,  yi,  7Ti)  =  0,  then  stop  and  output  _L.  Otherwise,  continue  to  the  next  step. 

2.  If  3  (ji, . . .  ,j„ )  s.t.  for  every  iG  [n], 

•  c{3'  =  c.j.i ,  and 

•  c2’J  =  cij2, 

then  stop  and  output  out  [71,  •  ■ . ,  jn\- 

3.  Otherwise,  for  every  i  £  [n], 

•  Compute  Xj  ■<— PKE.Dec(ski, Cip). 

4.  Output  /(x  1, . . .  ,x„). 

Figure  2:  Functionality  Sim.Gf 


The  main  advantage  of  this  scheme  over  the  one  presented  in  Section  [4]  is  that  the  encryption 
keys  and  the  ciphertexts  are  “compact”,  i.e. ,  independent  of  the  number  of  message  queries  q 
made  by  the  adversary. 

The  proposed  scheme  provides  the  following  security  guarantees: 

•  For  any  choice  of  t  <  n,  J-£\\  is  (f,  poly(fc))-IND-secure.  In  this  case,  the  number  of  message 
queries  q  can  be  an  arbitrary  unbounded  polynomial  q  =  poly(fc). 

•  For  t  —  0  and  q  =  q(k)  such  that  (9")  =  poly(/c),  our  construction  naturally  extends  to 
(0,  <7)-SIM-security.  In  this  case,  the  size  of  the  secret  keys  grows  linearly  with 

Notation.  Let  (CRSGen,  Prove,  Verify)  be  a  simulation-sound  NIZK  argument  system.  Let 
Com  denote  a  perfectly  binding  commitment  scheme.  Let  di O  denote  a  differing-inputs  obfus- 
cator.  Finally,  let  PKE  =  (PKE. Setup,  PKE.Enc,  PKE. Dec)  be  a  semantically  secure  public-key 
encryption  scheme. 

We  now  proceed  to  describe  the  scheme  T£\\  =  (FE. Setup.  FE.Enc,  FE. Keygen,  FE.Dec). 

Setup  FE.Setup(lfc):  The  setup  algorithm  first  computes  a  CRS  crs  CRSGen(lfc)  for 
the  simulation-sound  NIZK  proof  system.  Next,  it  computes  two  key  pairs  -  (pk^skj)  ■<— 
PKE.Setup(lfe)  and  (pk2,sk2)  <—  PKE.Setup(lfc)  -  of  the  public-key  encryption  scheme  PKE. 
Finally,  for  every  i  £  [n],  it  computes  a  commitment  Zi  Com(0). 

For  every  i  £  [n],  the  Pth  encryption  key  EK^  =  (crs,  pk:,  pk2,  Zt.  n)  where  r,  is  the  random¬ 
ness  used  to  compute  Zt.  The  master  secret  key  MSK  =  (crs.  pk1;  pk2,  ski,  {Zi}).  The  setup 
algorithm  outputs  (EK1; . . . ,  EK„,  MSK). 

Encryption  FE.Enc(EKj,  x):  To  encrypt  a  message  x  with  the  Fth  encryption  key  EKj, 
the  encryption  algorithm  first  computes  C\  ■<—  PKE.Enc(pk1; x)  and  c2  •<—  PKE.Enc(pk2, x). 
Next,  it  computes  a  simulation-sound  NIZK  proof  7r  4—  Prove(crs,  y,  w)  for  the  statement  y  = 
(ci,c2,pk1;pk  2,Z): 
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•  ci  and  C2  are  encryptions  of  the  same  message  and  Zi  is  a  commitment  to  0. 

Here,  a  witness  w  =  (si,S2,ri)  for  y  consists  of  the  randomness  si  and  S2  used  to  compute  Ci 
and  C2,  respectively,  and  the  randomness  ry  used  to  compute  Zi. 

The  output  of  the  algorithm  is  the  ciphertext  CT  =  (ci,C2,7t). 

Key  Generation  FE.Keygen(MSK,  /):  The  key  generation  algorithm  on  input  /  computes 
SK/  «—  di 0(7if)  where  the  function  TLf  is  defined  in  Figure  [3]  Note  that  TLf  has  the  master 
secret  key  MSK  hardwired  in  its  description. 


W/(CT1,...,CT„) 

1.  For  every  i  £  [n]: 

(a)  Parse  CT*  = 

(b)  Let  yi  =  pki,  pk2,  {Zi})  be  the  statement  corresponding  to  the  proof  string  71 /.  If 

Verify (crs,  y,;,  7T,;)  =  0,  then  stop  and  output  _L.  Otherwise,  continue  to  the  next  step. 

(c)  Compute  Xi  £-  PKE.Dec(ski, c^i). 

2.  Output  f(xi, ...  ,xn). 


Figure  3:  Functionality  TLf 

The  algorithm  outputs  SK/  as  the  secret  key  for  /. 

Size  of  Function  TLf .  Similar  to  the  construction  in  Section  |4j  in  order  to  prove  that  TS\\  is 
(0,  q)-SIM-secure,  we  require  the  function  TLf  to  be  padded  with  zeros  such  that  the  size  of  71/ 
is  equal  to  the  size  of  its  “simulated  version”  which  has  (among  other  things)  (9™)  output  values 
hardwired  in  it.  Thus,  in  this  case,  the  size  of  SK /  grows  linearly  with  (9"j. 

Note,  however,  that  such  a  padding  is  not  necessary  to  prove  (t,  g)-sel-IND-security  for  F£\\. 
Indeed,  in  this  case,  the  secret  keys  SK/  are  independent  of  the  number  of  message  queries  q 
made  by  the  adversary. 

Decryption  FE.Dec(SK/,  CT/, .  . . ,  CTn):  The  decryption  algorithm  on  input  (CTi, . . .  ,CT„) 
computes  and  outputs  SK/(CTi, . . . ,  CT„). 

This  completes  the  description  of  F£\\.  The  correctness  property  of  the  scheme  follows  from 
inspection. 

Theorem  16.  Assuming  differing-inputs  obfuscation  for  all  polynomial- time  computable  circuits 
and  one-way  functions,  the  proposed  scheme  T£\\  is  (t,  poly(fc))-IND-secwe  for  any  t  <  n. 

We  prove  the  above  theorem  in  Appendix  [Cj  Further,  we  note  that  for  t  =  0  and  q  =  q(k) 
such  that  (9”)  =  poly(fc),  our  IND-security  proof  can  be  naturally  extended  to  argue  (0,  g)-SIM- 
security  for  T£\\  by  using  a  similar  simulation  strategy  as  for  our  first  construction  (see  Section 
[4|.  We  formally  state  the  claim  below,  but  omit  the  proof  details  from  this  manuscript. 

Theorem  17.  Let  q  =  q{k)  be  such  that  [q™)  =  poly  (A:).  Then,  assuming  differing-inputs 
obfuscation  for  all  polynomial-time  computable  circuits  and  one-way  functions,  the  proposed 
scheme  T£\\  is  (0,  q) -SIM -secure. 
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6  Multi-Input  Functional  Encryption  Implies  Obfuscation 

In  this  section,  we  prove  that  various  flavors  of  multi-input  FE  imply  well  established  notions 
of  program  obfuscation. 

Indistinguishability  Obfuscation  from  MI-FE.  Our  first  result  shows  that  the  indis- 
tinguishability  notion  of  multi-input  FE  unconditionally  implies  indistinguishability  obfuscation 
(note  that  such  an  implication  is  not  known  to  hold  for  single  input  FE).  This,  in  particular, 
means  that  the  use  of  indistinguishability  obfuscation  is  unavoidable  for  multi-input  FE,  and, 
any  future  improvements  in  the  complexity  assumptions  on  which  multi-input  FE  is  based  will 
only  come  with  a  corresponding  improvement  in  the  indistinguishability  obfuscation  construc¬ 
tions.  We  state  the  theorem  below  for  the  “weakest”  case  of  secret-key  multi-input  functional 
encryption  (this  only  strengthens  our  result). 

Theorem  18.  (0,2)-IND  -secure  MI-FE  for  general  (fc  +  1)- ary  functions  unconditionally  implies 
indistinguishability  obfuscation  for  all  circuits  with  k-bit  inputs. 

Proof.  We  describe  how  to  construct  indistinguishability  obfuscation  for  a  circuit  class  C  where 
for  every  C  €  C,  C  :  {0,  l}fc  — >  {0,  l}fc  and  |C|  =  I.  Let  FE  be  a  (0,  2)-IND-secure  MI-FE 
scheme  for  general  ( k  +  l)-ary  functions.  The  PPT  obfuscator  iO  works  as  follows. 

•  Consider  a  function  g  s.t.  g{x\, . . .  ,xk,  C)  =  C(ari 1 1  . . .  ||a’fc)  where  for  all  i,  x *  €  {0, 1}, 
and,  C  £  {0,1}'.  Observe  that  the  function  g  acts  as  a  universal  circuit  and  treats  its 
( k  +  l)-th  input  as  a  circuit. 

•  The  obfuscator  iO  first  runs  the  setup  algorithm  for  FE  to  compute  a  master  secret  key 
MSK  and  encryption  keys  as  EKi, ....  EKt+i.  It  then  runs  the  key  generation  algorithm  of 
FE  to  generate  a  secret  key  for  the  function  g  using  MSK.  Denote  the  resulting  decryption 
key  as  SKg. 

•  For  all  i  €  [k\,b  €  {0,1},  let  CT \  t—  FE.Enc(EK,  ,  6).  All  the  encryptions  are  performed 
using  independent  random  coins.  Furthermore,  let  CTfc+1  £-  FE.Enc(EKfc_(_1,  C). 

•  The  obfuscated  circuit  iO(C)  =  ({CT^}^,  CT^+i,  SKg). 

To  evaluate  the  obfuscated  circuit  on  an  input  x  =  (aq, . . . , xk),  simply  evaluate  the  de¬ 
cryption  algorithm  FE.Dec(SKg,  {CT®*}*,  CT^.+i).  This  results  in  g(x i, . . .  ,xk,  C)  =  C(x).  This 
completes  the  description  of  the  obfuscation  scheme. 

We  now  show  that  the  above  construction  is  indeed  a  secure  indistinguishability  obfuscation. 
This  follows  from  the  (0, 2)-IND-security  of  the  underlying  multi-input  FE  scheme.  Consider  any 
two  functionally  equivalent  circuit  Co  and  C\  from  C.  That  is,  for  all  x  €  {0,  l}fc,  Co(x)  =  C\(x). 
Now,  suppose  for  contradiction  that  there  exists  a  PPT  adversary  A  that  distinguishes  between 
iO(C0 )  and  iO(C\)  with  non- negligible  advantage.  We  will  construct  an  adversary  B  that  breaks 
(0,  2)-IND-security  of  FE.  The  adversary  B  runs  A  and  receives  circuits  Co  and  C\ .  It  works  as 
follows: 

1.  It  defines  challenge  message  vectors  X°  and  X 1  ,  where  Xb  =  {xbj, . . . , ®fc+iy}je[2]-  For 
every  i  €  [fc],  set  x\r  =  0  and  x\2  =  1-  (Note  here  that  a;°  •  =  a;}  •.)  Further,  set 
xbk+1  i  =  xbk+1  2  =  Cfc.  B  sends  over  X°,  X1  to  the  challenger  in  the  IND  security  game. 
Let  {CT-|  j, . . . ,  CTfc+i  j}ge[2]  denote  the  challenge  ciphertexts  received  by  B 

2.  Next,  B  requests  a  secret  key  for  the  function  g.  Let  SKg  be  the  secret  key  received  by  B. 

3.  Now,  B  sends  over  ^{CTij, . . . ,  CTfcj}^^  ,  CTfe+ip^  as  the  challenge  obfuscation  to  A. 
B  simply  outputs  the  guess  b'  returned  by  A. 
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This  completes  the  description  of  B.  We  first  argue  that  the  challenge  message  vectors  and  the 
secret  key  query  g  are  I-compatible  as  per  IND  security  definition [3j  (Here  I  =  0.)  To  see  this, 
note  that  for  any  x  =  (xi, . . . ,  xk),  we  have  that: 

g{x  1,  Co)  =  g{x i, . . . , xk,Ci). 

since  Co  and  C\  are  functionally  equivalent.  Now,  note  that  if  the  challenge  bit  b  chosen  by 
IND-security  game  challenge  is  equal  to  0,  then  the  resulting  obfuscation  is  sent  by  B  to  A  is  of 
circuit  Co;  otherwise  it  is  an  obfuscation  of  Ci.  Thus,  if  A  can  distinguish  between  these  two 
cases  with  non-negligible  advantage,  then  B  also  wins  the  IND  game  with  the  same  advantage. 
This  completes  the  proof.  □ 

Remark  19.  We  remark  that  in  the  above  proof,  the  “order”  of  the  key  query  g  is  irrelevant. 
That  is,  g  could  be  queried  before  or  after  the  ciphertext  queries. 

Virtual  Black-Box  Obfuscation  from  MI-FE.  We  now  give  two  results  for  construct¬ 
ing  virtual  black-box  obfuscation  from  various  flavors  of  MI-FE.  We  first  note  that  the  same 
construction  as  above  (Theorem [18]) ,  in  fact,  implies  virtual  black-box  obfuscation,  when  TE  is 
(0,  2)-SIM-secure. 

Theorem  20.  (0, 2) -SIM -secure  FE  for  general  ( k  +  1  )-ary  functions  unconditionally  implies 
virtual  black-box  obfuscation  for  all  circuits  with  k-bit  inputs. 

Next,  we  show  that  SIM-secure  multi-input  FE,  where  at  least  one  of  the  encryption  keys 
may  be  made  public,  implies  virtual  black-box  obfuscation. 

Theorem  21.  (1,1)  -SI  M  -secure  MI-FE  for  general  2-ary  functions  unconditionally  implies  vir¬ 
tual  black-box  obfuscation  for  all  circuits. 

Sketch.  The  proof  of  this  theorem  is  quite  similar  to  that  of  the  previous  one  and  we  only 
provide  a  sketch  here.  The  basic  idea,  as  before,  is  to  give  out  keys  for  a  universal  circuit  g.  The 
first  input  to  g  will  be  the  function  /  which  we  wish  to  obfuscate.  The  encryption  key  EKi  will 
be  kept  a  secret,  and,  the  ciphertext  FE.Enc(EK!, /)  will  be  included  as  part  of  the  obfuscated 
circuit.  The  second  input  x  will  be  the  input  on  which  the  user  wishes  to  evaluate  /.  Hence, 
the  user  is  given  access  to  the  second  encryption  key  EK2  (as  part  of  the  obfuscated  circuit)  to 
enable  it  to  encrypt  any  x.  More  details  follow: 

•  Consider  a  function  g  s.t.  g(G,x)  =  C(x).  Let  TE  be  a  (1,  l)-SIM-secure  MI-FE  for 
general  2-ary  functions.  The  obfuscator  VBB  runs  the  setup  algorithm  for  TE  to  compute 
MSK  and  encryption  keys  (EKi,  EK2).  It  then  runs  the  key  generation  algorithm  of  TE  to 
generate  a  secret  key  SKg  for  the  above  function  g  using  MSK. 

•  Let  CT  «—  FE.Enc(EKi,  C).  The  obfuscated  circuit  VBB(C)  =  (CT,  EK2,SKg). 

To  evaluate  the  obfuscated  circuit  on  an  input  x,  compute  CT7  ■<—  FE.Enc(EK2, x),  and,  run 
FE.Dec(SKg,  CT,  CT').  This  results  in  g(C,x )  =  C(x). 

The  virtual  black-box  obfuscation  property  follows  from  the  fact  that  the  view  of  the  user 
can  be  simulated  given  access  to  a  trusted  party  holding  the  first  input  /,  and,  evaluating  g{f,  •) 
on  any  second  input  x  of  user’s  choice.  □ 

6.1  Impossibility  Results  for  SIM  secure  MI-FE 

Here,  we  discuss  some  impossibility  results  for  simulation  secure  MI-FE  that  complement  our 
positive  results  given  in  Sections  [4]  and  [5j 

Recall  that  jBSWlll  iBOl.ll  already  establish  the  impossibility  of  (0,  poly(fc))-SIM-secure 
functional  encryption  for  1-ary  functions.  We  show  that  for  n-ary  functions,  where  n  >  2,  the 
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situation  is  much  worse.  In  particular,  recall  that  Barak  et  al.  [BGI+01~]  proved  an  (uncon¬ 
ditional)  impossibility  result  for  VBB  obfuscation  for  general  circuits.  Then,  combining  their 
result  with  Theorem  [21]  we  get  the  following  result: 

Theorem  22.  (1, 1) -SIM -secure  multi-input  functional  encryption  for  general  2-ary  functions 
is  impossible. 

We  remark  that  our  positive  results  for  SIM-secure  MI-FE  in  Sections [4] and [5] are  consistent 
with  the  above  negative  result  and  that  of  [BSW11.  BQ13j. 


Simulation  secure  MI-FE  against  Non- Adaptive  Key  Queries.  So  far  in  this 
paper,  we  have  only  considered  simulation  security  for  MI-FE  in  the  setting  where  an  adversary 
makes  key  queries  after  choosing  the  challenge  messages.  Following  the  terminology  from  the 
literature  on  single-input  functional  encryption,  such  queries  are  referred  to  as  adaptive  key 
queries.  One  can  consider  the  “opposite”  scenario,  where  the  adversary  is  allowed  to  make  key 
queries  before  choosing  the  challenge  messages.  This  setting  has  been  well  studied  in  the  case 
of  single-input  functional  encryption,  where  such  queries  are  referred  to  as  non-adaptive  key 
queries. 

We  now  discuss  the  feasibility  of  simulation-based  security  for  non-adaptive  key  queries 
(referred  to  as  NA-SIM  security)  in  our  setting  of  multi-input  FE.  NA-SIM  security  for  multi¬ 
input  FE  is  defined  similarly  to  definition  [4]  except  that  now  the  adversary  is  required  to  make 
key  queries  before  (as  opposed  to  after)  choosing  the  challenge  messages.  More  concretely,  we 
can  define  (t,p,  g)-NA-SIM-secure  functional  encryption  where  (as  earlier)  t  denotes  the  number 
of  encryption  keys  known  to  the  adversary  and  q  denotes  the  number  of  challenge  messages  per 
encryption  key.  The  new  parameter  p  denotes  the  total  number  of  non-adaptive  key  queries  by 
the  adversary.  For  completeness,  we  provide  a  formal  definition  in  Appendix |D| 

Now,  observe  that  the  proofs  of  Theorem  [2T|  and  Theorem  [20|  are  insensitive  to  the  “order” 
of  the  key  query;  i.e. ,  they  go  through  even  if  the  key  query  is  non-adaptive.  Then,  combining 
these  results  with  the  impossibility  result  of  Barak  et  al  BGI+0l[ ,  we  obtain  the  following  two 
(incomparable)  results: 


Theorem  23.  (1, 1, 1)-NA-SIM  -secure  multi-input  functional  encryption  for  general  2-ary  func¬ 
tions  is  impossible. 


Theorem  24.  (0, 1,  2)-NA-SIM-secwe  multi-input  functional  encryption  for  general  (k  +  l)-ary 
functions  is  impossible. 


We  remark  that  we  have  stated  Theorem  24  for  the  secret-key  setting  (as  opposed  to  for 
general  t )  since  it  is  the  “weakest”  case,  and  therefore  only  strengthens  our  result. 

While  the  above  impossibility  results  rule  out  achieving  NA-SIM-security  for  general  functions 
-  in  particular,  they  rule  out  NA-SIM-security  for  the  arguably  unnatural  function  that  cannot  be 
VBB  obfuscated  [BGI+0l|t  -  we  also  provide  another  impossibility  result  for  the  weak  pseudo¬ 


random  function. 

Let  {F}  be  a  weak  pseudo-random  function  family  with  key  space  K  and  message  space  X. 
The  2-ary  wPRF(-,  •)  functionality  on  input  key  k  G  K  and  message  x  G  X  outputs  FK( x).  We 
shall  call  k  as  the  first  input  and  x  to  be  the  second  input  to  wPRF.  We  claim  the  following: 


Theorem  25.  (0, 1,  poly(/c))-NA-SIM-secwe  functional  encryption  for  the  weak  PRF  function¬ 
ality  wPRF(-,-)  is  impossible. 


Proof.  (Sketch).  Here,  we  sketch  a  proof  for  black-box  simulation.  The  proof  follows  along 
the  same  lines  as  in  [AG VW 131 .  Suppose  for  contradiction  that  there  exists  a  (0, 1,  poly(A:))- 
NA-SIM-secure  functional  encryption  F£  for  the  weak  PRF  functionality.  Let  £  —  1  denote  an 
upper  bound  on  the  ciphertext  size  in  F£.  We  construct  an  adversary  A  that  makes  a  single 
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key  query  and  £2  number  of  message  queries  (per  encryption  key)  such  that  every  (black-box) 
simulator  “fails”  to  simulate  the  view  of  A. 

The  adversary  A  first  makes  a  single  (non- adaptive)  key  query  for  the  2-ary  function  wPRF. 
Let  L  =  .  Then,  A  asks  ciphertexts  for  L  first  inputs  k\, . . . ,  ki,  and  L  second  inputs  aq, . . . ,  Xl, 

where  each  ki  is  chosen  uniformly  at  random  from  the  key  space  K  and  each  aq  is  chosen 
uniformly  at  random  from  the  message  space  X.  Now  the  simulator  first  needs  to  produce  a 
key  SKwprf  and  then  it  is  given  the  functionality’s  outputs  {wPRF  (ki,  Xj)}ff^  J=r  Now,  the 

simulator  has  to  produce  2 L  ciphertexts  { CT]  {CTj}^_1  such  that  for  every  i  £  [L\,  j  £  [ L ] , 
wPRF(fcj,  Xj)  =  FE.Dec(SK/,CT),CT2). 

Thus,  on  the  one  hand,  the  simulator  needs  to  “encode”  all  of  the  functionality’s  outputs 
into  2 L  ciphertexts.  On  the  other  hand,  the  functionality’s  outputs  are  L2  =  pseudo-random 
bits,  while  the  total  length  of  the  2 L  ciphertexts  is  2 L(l  —  1)  <  2£3  bits.  Since  a  pseudo-random 
string  cannot  be  efficiently  compressed,  we  get  a  contradiction.  □ 


Discussion.  Recall  that  the  lower  bounds  of  AG  VW  13l  lGI.T+13j  already  establish  that  it 
is  impossible  to  achieve  (0,  poly(fc),  l)-NA-SIM-secure  functional  encryption  for  1-ary  functions 
(specifically,  the  weak  PRF  functionality).  That  is,  it  is  impossible  to  achieve  NA-SIM  security 
against  an  unbounded  number  of  non-adaptive  key  queries  even  in  the  secret-key  setting.  Our 
impossibility  results  in  Theorem  24  and  Theorem  25  establish  that  it  is  also  impossible  to  achieve 
NA-SIM  security  against  an  unbounded  number  of  ciphertext  queries.  Thus,  NA-SIM  secure  MI- 
FE  is  only  possible  for  a  bounded  number  of  key  queries  and  a  bounded  number  of  ciphertext 
queries.  This  is  strictly  worse  that  what  can  be  achieved  in  the  case  of  SIM  security  (where 
unbounded  number  of  key  queries  can  be  achieved,  in  the  secret-key  setting,  as  exemplified  by 
our  positive  results). 


7  Extension  to  Randomized  Functionalities 

Our  positive  results  for  multi-input  functional  encryption  presented  in  Sections  [4]  and  [5]  only 
concern  with  deterministic  n- ary  functions.  Here,  we  discuss  how  to  extend  our  results  to  handle 
randomized  functionalities. 

Modeling  Security.  In  the  single-input  setting,  the  case  of  randomized  functionalities  was 
recently  considered  by  Goyal  et  al.  |GJKS13  .  Very  briefly,  Goyal  et  al.  observed  that  in  the 
setting  of  randomized  functionalities,  the  central  challenge  is  to  ensure  that  the  random  coins 
used  for  computing  a  function  output  are  unbiased  and  remain  hidden  from  the  participants  (i.e. , 
the  encryptor/ sender  and  the  decryptor/receiver).  As  such,  in  addition  to  requiring  security 
against  dishonest  receivers,  one  must  explicitly  require  security  against  dishonest  senders  to 
ensure  that  it  is  not  possible  to  force  “bad”  outputs  on  an  honest  receiver. 

We  follow  the  same  approach  in  our  multi- input  setting.  Specifically,  following  IGJKS13], 
below  we  formalize  a  definition  for  security  against  dishonest  senders.  Overall,  we  will  say  that  a 
multi-input  functional  encryption  scheme  for  a  randomized  function  family  is  secure  if  it  achieves 
security  against  both  dishonest  senders  and  dishonest  receivers. 

Definition  26  (Security  against  Dishonest  Senders).  We  say  that  a  functional  encryption 
scheme  J-E  for  n-ary  (randomized)  functions  T  is  t- secure  against  dishonest  senders  if  for 
every  PPT  adversary  A  —  (Aq  ,  A\ ,  An ) ,  there  exists  a  PPT  simulators  =  ( Sq,S\,S2 )  such  that 
the  outputs  of  the  following  two  experiments  are  computationally  indistinguishable: 
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Experiment  REAL^£(lfe): 

Experiment  IDEALj£(lfc); 

(I,  sto)  t—  AQ(lk)  where  I  =  t 

(I,  sto)  <5o(lfe) 

(EK,  MSK)  <-  FE.Setup(lfe) 

({/}i  A4,  sti)  <—  iSi(sto) 

({/},Mst1)«-.A1(sto,EKI) 

jjjf-  M  Vi  e  N\I 

SK/  «—  FE.Keygen(MSK, /)  V  /  G  {/} 

a  <—  SjP^{f}’x’  \sti) 

CT;  t—  FE.Enc(EKi,  Xi)  where  Xi  <—  A4Vf£N\I 

Output:  (I,  {f},M.,x,  {out'},  a) 

0({SKf},CT,)  -> 

CX.  i —  ^A-2  (CT,  Sti) 

Output:  (I,  {/},  M,  x,  {out},  a) 

where, 


•  In  the  real  world,  oracle  O  ^{SK/}  ,  CT,  -j  accepts  queries  of  the  form  (CT{, . . .  ,CT{)  such 

that  for  every  i  £  [t],  j  £  N\I,  CT*  7^  CT/ .  It  outputs  FE.Dec  (SK  /,  (CTi, . . . ,  CTn_t,  CT{, . . . ,  CT 
for  every  SK/  £  {SK/}.  Here,  (z^ , . . . ,  Zin)  denotes  a  permutation  of  the  ciphertexts 
Zii:. . Zin  such  that  Zij  is  mapped  to  the  I  ’th  location  if  Zi .  is  the  encrypted  via  the 
encryption  key  EK^.  Further,  {out}  denotes  the  set  of  outputs  of  O  to  A2 ’s  decryption 
queries. 

•  In  the  ideal  world,  the  trusted  party  TP  ({/}  ,  x,  •)  accepts  queries  of  the  form  (x*, . . . ,  x*) 
and  outputs  fj((xi1,...,xin_t,x*,...,x*')m,rj)  for  every  fj  £  {/}.  Here  r/  is  chosen 
uniformly  at  random  and  (z^ , . . . ,  Zin)  denotes  a  permutation  of  the  values  Zilt . . . ,  Zin 
such  that  the  value  Zij  is  mapped  to  the  I  ’th  location  if  Zi .  is  the  I  ’th  input  ( out  of  n 
inputs)  to  f.  Further,  {out'}  denotes  the  set  of  outputs  of  TP  to  the  queries  of  d>2- 

We  now  define  SIM  security  for  multi-input  functional  encryption  for  randomized  functions. 

We  note  that  IND  security  can  be  defined  analogously;  we  skip  the  details. 

Definition  27.  We  say  that  a  functional  encryption  scheme  FE  for  n-ary  (randomized)  func¬ 
tions  F  is  (ti,t.2,  q)-S\M-secure  if: 

1.  FE  is  ti-secure  against  dishonest  senders. 

2.  FE  is  (t2,  q) -SIM -secure  against  dishonest  receivers. 

Positive  Results  for  Randomized  Functionalities.  Building  on  the  techniques  of 
|GJKS13] ,  both  of  our  constructions  for  multi-input  functional  encryption  presented  in  Sections 
[4]  and  [5]  can  be  extended  to  handle  randomized  functionalities.  Below,  we  outline  the  necessary 
modifications  to  our  second  scheme  FE\\  to  define  a  new  scheme  FE.  (We  note  that  FE\  can  be 
modified  in  a  similar  manner  to  handle  randomized  functionalities.) 

FE  is  defined  similarly  to  FE\\,  with  the  following  necessary  changes: 

1.  To  encrypt  a  message  x,  we  follow  the  same  steps  as  in  FE\\  to  compute  (ci,C2,7t).  Next, 
we  sample  a  key  pair  ( sk,vk )  for  a  strongly  unforgeable  one-time  signature  scheme.  The 
final  ciphertext  CT  consists  of  (ci,  C2, 7r,  vk,  a),  where  cr  is  a  signature  over  ci 1 1 C2 1 1 7r  using 
sk. 

2.  To  compute  a  secret  key  SK/  for  a  (randomized)  function  /,  we  first  sample  a  key  I\  for  a 
puncturable  pseudo-random  function  (PRF)  |SW131  IBW131 IBGI131  IKPTZ13|.  Then,  key 
SK/  is  computed  as  di 0(1!))  where  H)  is  defined  similarly  to  the  functionality  H  f  except 
that: 

•  We  additionally  check  whether  the  signature  Oj  in  each  input  ciphertext  CT,  is  valid. 

•  Further,  after  decrypting  each  input  ciphertext  CT,  to  compute  Xi,  we  first  compute 
randomness  r  as  the  output  of  the  PRF  on  input  CT  1 1|  . . .  |CTn  using  key  K.  The 
final  output  is  then  computed  as  f(x  1, . . . ,  xn\  r). 
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Very  briefly,  security  against  dishonest  senders  follows  from  the  same  ideas  as  in  [NY90I 
IDDN911  ISah99l .  Specifically,  incorporating  the  one-time  signatures  in  the  ciphertexts  ensures 
that  each  ciphertext  is  unique  (and  therefore,  an  adversary  cannot  modify  an  honest  sender’s 
ciphertext  to  create  a  decryption  query).  Further,  it  is  possible  to  extract  the  input  from  an 
adversarially  created  ciphertext  using  one  of  the  secret  keys  (while  using  the  semantic  security 
for  the  other  key) .  Security  against  dishonest  receivers  follows  largely  in  the  same  manner  as  for 
F£\\.  The  main  difference  now  is  that  (as  in  [G.TKS13]h  we  use  the  punctured  PRF  to  remove 
all  the  secret  information  in  the  PRF  key  for  the  point  CT 1 1|  . . .  ||CTn,  where  CTi,...,CT„ 
denotes  a  challenge  ciphertext  tuple.  From  the  security  of  the  obfuscation,  it  follows  that  this 
randomness  remains  hidden  from  a  honest  receiver.  We  refer  the  reader  to  |G.TKS13]  for  more 
details  on  the  proof. 
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A  Completing  sel-IND  Security  Proof  for  T£\ 

Lemma  28  (Hq  ee  Hi).  Assuming  that  Com  is  a  (computationally)  hiding  commitment  scheme, 
the  outputs  of  experiments  Ho  and  Hi  are  computationally  indistinguishable. 

Proof.  Recall  that  the  only  difference  between  H0  and  Hi  is  the  manner  in  which  the  commit¬ 
ments  {Z\'J}  are  computed:  in  Ho,  every  Z\'3  is  a  commitment  to  the  all  zeros  string  0len,  while 
in  Hi,  Z[’3  is  a  commitment  to  c\’3  \\cf3-  Further,  note  that  the  randomness  used  to  compute 
Z['3  is  not  used  elsewhere  in  the  experiment.  Then,  by  a  standard  hybrid  argument,  the  indis¬ 
tinguishability  of  Ho  and  Hi  follows  from  the  computational  hiding  property  of  Com.  We  omit 
the  details.  □ 

Lemma  29  (Hi  =  H2).  Assuming  that  (CRSGen,  Prove,  Verify)  is  witness  indistinguishable,  the 
outputs  of  experiments  Hi  and  H2  are  computationally  indistinguishable. 

Proof.  Recall  that  the  only  difference  between  Hi  and  H2  is  the  manner  in  which  the  proof  strings 
7 t1’3  in  challenge  ciphertexts  CT,j  are  computed:  in  Hi,  every  7 r’’3  is  computed  using  the  real 
witness,  while  in  H2,  7 t'ij  is  computed  using  the  trapdoor  witness.  Then,  by  a  standard  hybrid 
argument,  the  indistinguishability  of  Hi  and  H2  follows  from  the  witness  indistinguishability 
property  of  the  NIWI  proof  system.  □ 

Lemma  30  (H2  =  H3).  Assuming  that  Com  is  a  (computationally)  hiding  commitment  scheme, 
the  outputs  of  experiments  H2  and  H3  are  computationally  indistinguishable. 

Proof.  Recall  that  the  only  difference  between  H2  and  H3  is  the  manner  in  which  the  commit¬ 
ments  {Z\}  are  computed:  in  H2,  every  Z\,  where  i  €  I,  is  a  commitment  to  0,  while  in  H3, 
Z\  is  a  commitment  to  1.  Further,  note  that  the  randomness  used  to  compute  Z\  is  not  used 
anywhere  else  in  the  experiment.  Then,  by  a  standard  hybrid  argument,  the  indistinguishability 
of  H2  and  H3  follows  from  the  computational  hiding  property  of  Com.  □ 
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Lemma  31  (H3  =  H4).  Assuming  that  PKE  =  (PKE. Setup,  PKE.Enc,  PKE.Dec)  is  a  semantically- 
secure  public-key  encryption  scheme,  the  outputs  of  experiments  H3  and  H4  are  computationally 
indistinguishable. 

Proof.  Recall  that  the  only  difference  between  H3  and  H4  is  the  manner  in  which  the  second 
ciphertexts  cf1  in  the  challenge  ciphertexts  CT yy  are  computed:  in  H3,  c.f  is  an  encryption  of 
the  challenge  message  Xij,  while  in  H4,  Sf  is  an  encryption  of  0.  Further,  note  that  neither 
the  randomness  slf1  used  to  compute  6f  nor  the  secret  key  sk2  is  used  anywhere  else  in  the 
experiment.  Then,  by  a  standard  hybrid  argument,  the  indistinguishability  of  H3  and  H4  follows 
from  the  semantic  security  of  PKE.  □ 

Lemma  32  (H4  =  H5).  Assuming  that  iO  is  an  indistinguishability  obfuscator,  Com  is  perfectly 
binding  and  (CRSGen,  Prove,  Verify)  is  a  proof  system,  the  outputs  of  the  experiments  H4  and  H5 
are  computationally  indistinguishable. 

Proof.  We  prove  the  lemma  for  the  simplified  case  where  the  adversary  makes  a  single  key  query 
/.  We  remark  that  by  a  standard  hybrid  argument,  the  proof  can  be  easily  extended  to  the 
more  general  case  where  the  adversary  makes  poly(fc)  number  of  key  queries. 

Now,  note  that  the  only  difference  between  H4  and  H5  is  the  manner  in  which  the  secret  key 
SK f  for  the  key  query  /  is  computed:  in  experiment  H4,  SK y  is  an  indistinguishability  obfusca¬ 
tion  of  G f,  while  in  H,5,  SKy  is  an  indistinguishability  obfuscation  of  Sim.  Gy.  Now,  if  Gy  and  Gy 
have  the  same  output  behavior  on  all  input  points,  then  the  computational  indistinguishability 
of  H4  and  H5  follows  immediately  from  the  indistinguishability  of  iO(Gf)  and  iO(G'y).  Thus, 
all  that  remains  to  prove  is  that  for  all  inputs  z,  G y(z)  =  Gy  (2). 

Towards  that  end,  we  first  assume  without  loss  of  generality  that  the  encryption  scheme 
PKE  =  (PKE. Setup,  PKE.Enc,  PKE.Dec)  does  not  have  any  decryption  error.  We  make  the 
following  claim: 

Claim  33.  For  any  input  z,  G f(z)  =  JL  iff  Gj{z)  =  J_. 

Proof.  Let  2  =  (CTi, . . . ,  CTn)  be  any  input  to  Gy  and  Gy.  For  every  i  £  [n],  let  CTj  = 
(ci,i,Ci,2,7r*)-  Note  that  both  Sim. Gy  and  Sim.G).  output  T  on  input  2  iff  there  exists  i  £ 
[?r]  such  that  Verify  (crs,  ?/,,  7r,)  =  0,  where  yi  =  (0*4,  0^2,  pk1;  pk2,  Ztf)  is  the  statement 

corresponding  to  the  NIWI  proof  7 r,.  The  claim  follows.  □ 

Following  the  above  claim,  we  shall  call  an  input  z  to  Gy  and  Gy  to  be  a  valid  input  if 
Gy (2)  7^  T  (and  G 'j(z)  7^  _L).  We  now  demonstrate  that  the  outputs  of  Gy  and  Gy  differ  on 
a  valid  input  2  only  if  2  satisfies  some  specific  properties.  Later,  we  will  rely  on  the  binding 
property  of  Com  and  the  statistical  soundness  of  the  NIWI  proof  system  to  show  that  such  an 
input  2  does  not  exist,  thus  completing  the  proof. 

Claim  34.  Let  {CT ij, . . . ,  CTri)J})=1  denote  the  challenge  ciphertexts  given  to  the  adversary, 
where  every  CTyy  =  {i&f 3 ,  &f3 ,  tt1’j  ) .  Then,  for  every  valid  input  z  =  (CTi, ...,  CTn)  to  Gy  and 
Gy  such  that  G f(z)  7^  Gy (2),  there  exists  i  €  [n],  CT,  =  (cyi,  Cy2,  tTj)  in  z  such  that  one  of  the 
following  two  cases  holds: 

Case  1:  If  i  £  I,  then  Cyi  and  Cy2  are  encryptions  of  different  messages,  and  for  every  j  €  [g], 
either  6*4  7^  c{°  or  cy2  7^  cf0  ■ 

Case  2:  If  i  £  N  \  I,  then  for  every  j  G  [g],  either  Cyi  7^  c{J  or  Cj,2  7^  cf3. 

Proof.  Suppose  that  the  claim  is  false.  That  is,  there  exists  a  valid  input  2*  =  (CT{, . . . ,  CT*) 
such  that  Gy  (2*)  7^  Gy  (2*),  yet  2  satisfies  the  following  conditions: 

Condition  A:  For  every  i  £  I,  CT*  =  (c*  1 ,  c*  2 ,  tt* )  is  such  that: 
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1.  Either  there  exists  ji  £  [g]  such  that  c*  1  =  c{3i  and  c*2  =  c2i,  or 

2.  c*  1  and  c*  2  are  encryptions  of  the  same  message.  Let  x[  denote  this  message. 

Condition  B:  For  every  i  £  N\I,  CT*  =  (c*  ,  c*2, 7r*),  there  exists  ji  £  [q]  such  that  c*  1  =  cf3i 
and  c*  2  =  c2J* . 

Let  us  inspect  the  outputs  of  Gy  and  Gy  on  the  input  z* .  We  have  that: 

G/CO  =  /(({ PKE-Dec  (skl5  c^)  } ^  ,  {PKE.Dec  (sk1;  c*,) }  ,£l^  , 

GK^)  =  /(({pKE-Dec(sk2,^)}ieN^,{pKE.Dec(sk2,c*2)}ieI)), 

where  for  l  £  [2],  (^jPKE.Dec  ^sk^,  cf3i^j  j  ^  ,  |  PKE.Dec  ^sk^,  c*  j  ^  denotes  the  “ar¬ 
rangement”  of  the  values  jPKE.Dec  (sk^,  ce’3i^j  j  ,  j PKE.Dec  (^sk^,  c*^j  j  according  to 

their  input  positions  in  /.  Now,  let  I'  C  I  be  such  that  for  every  i  £  I',  CT*  =  (c*1;c*2,  n*) 
satisfies  the  condition  A( 2).  Thus,  for  every  i  £  I \ I',  CT*  =  (c*i, c*2, n*)  satisfies  the  condition 
A{\).  Then,  we  have: 


G/0*)  =  /  }ieN\p  >  Kliei'))  ; 


where  X°  =  {x^j, . . .  and  X1  =  {a;}  y,  ■  ■  -  ,x]n  j}q-=1  are  the  challenge  messages. 

Now,  it  follows  from  the  I-Compatibility  property  in  the  IND-security  definition  (see  Defini¬ 
tion  |3j)  that  G f{z*)  =  G y(2*),  which  is  a  contradiction.  □ 


Completing  the  proof  of  Lemma\32\  We  now  prove  that  for  every  valid  input  2,  G f(z)  7^  Gy  (2). 
For  the  sake  of  contradiction,  suppose  not.  That  is,  let  z*  be  a  valid  input  such  that  G/(2*)  = 
Gy  (2*).  Following  Claim 


34 


fix  *  £  [n],  CT*  =  (c*i,c*2,7r*)  in  2*  to  be  such  that  either  Case  1 

or  Case  2  holds. 

First  observe  that  since  2*  is  a  valid  input,  we  have  that  Verify(crs,y*,7r*)  =  1,  where 
y*  =  (0*4,  c*2,  pk1;  pk2,  {Z[’3},  Z\)  is  the  statement  corresponding  to  the  proof  string  n* .  Then, 
since  (CRSGen,  Prove,  Verify)  is  a  statistically  sound  proof  system,  it  follows  that  the  statement 
y*  must  be  true,  i.e.,  either  there  exists  a  real  witness  or  a  trapdoor  witness  for  y*  (see  Section 
[4] for  the  definitions  of  real  and  trapdoor  witnesses).  We  now  consider  the  two  cases: 


Case  1.  i  £  I:  Since  c*x  and  c*2  are  encryptions  of  different  messages,  there  does  not  exist 
a  real  witness  for  y*.  Then,  suppose  that  there  exists  a  trapdoor  witness  wtra p  =  (J>ri3)  f°r 
y*.  That  is,  suppose  that  3 j  £  [g]  and  randomness  rl{3  such  that  Zl{3  =  Com(c*1,  c*2;  r^J). 
However,  note  that  in  experiments  H4  and  H5,  Z\3  is  computed  as  a  commitment  to  c\’3  ||c2J  • 
Since  Com  is  perfectly  binding  and  either  c*  1  7^  c{ 3  or  c*  2  /  c2J ,  we  obtain  a  contradiction. 


Case  2.  i  £  N  \ I:  First  observe  that  since  Z\  is  computed  as  a  commitment  to  1  in  experiments 
H4  and  H5,  it  follows  from  the  perfect  binding  property  of  Com  that  there  does  not  exist  a  real 
witness  for  y*.  Then,  suppose  that  there  exists  a  trapdoor  witness  ictrap  =  (j,  r iJ)  for  y*.  That 
is,  suppose  that  3 j  £  [g]  and  randomness  rl{3  such  that  Z\3  =  Com(c*  c*2;  r\ 3).  However, 
note  that  in  experiments  H4  and  H5,  Z\~3  is  computed  as  a  commitment  to  c\'3  ||c2J .  Since  Com 
is  perfectly  binding  and  either  c*j  /  c{3  or  c* 2  7^  c2 3 ,  we  obtain  a  contradiction.  □ 


Lemma  35  (H5  =  H6).  Assuming  that  PKE  =  (PKE. Setup,  PKE.Enc,  PKE.Dec)  is  a  semantically- 
secure  public-key  encryption  scheme,  the  outputs  of  experiments  H5  and  H6  are  computationally 
indistinguishable. 
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Proof.  The  proof  follows  in  the  same  manner  as  Lemma  [HI]  □ 

Lemma  36  (Hg  =  H7).  Assuming  thatiO  is  an  indistinguishability  obfuscator,  (CRSGen,  Prove.  Verify) 
is  a  proof  system,  and  Com  is  perfectly  binding,  the  outputs  of  experiments  Hg  and  H7  are  com¬ 
putationally  indistinguishable. 

Proof.  The  proof  follows  in  the  same  manner  as  Lemma  |32)  □ 

Lemma  37  (H7  =  H8).  Assuming  that  Com  is  a  (computationally)  hiding  commitment  scheme, 
the  outputs  of  experiments  H7  and  Hs  are  computationally  indistinguishable. 

Proof.  The  proof  follows  in  the  same  manner  as  Lemma  |30l  □ 

Lemma  38  (Hs  =  Hg).  Assuming  that  (CRSGen.  Prove,  Verify)  is  witness  indistinguishable,  the 
outputs  of  experiments  Hs  and  Hg  are  computationally  indistinguishable. 

Proof.  The  proof  follows  in  the  same  manner  as  Lemma  |29)  □ 

Lemma  39  (Hg  =  H10).  Assuming  that  Com  is  a  (computationally)  hiding  commitment  scheme, 
the  outputs  of  experiments  Hg  and  H10  are  computationally  indistinguishable. 

Proof.  The  proof  follows  in  the  same  manner  as  Lemma  |28l  □ 

B  Completing  SIM  Security  Proof  for  T£\ 

We  now  describe  a  series  of  hybrid  experiments  H0, . . . ,  H8,  where  H0  corresponds  to  the  real 
world  and  H8  corresponds  to  the  ideal  world  experiment.  For  every  i,  we  will  prove  that  the 
output  of  Hj  is  computationally  indistinguishable  from  the  output  of  H,+1. 

Hybrid  H0:  This  is  the  real  experiment. 

Hybrid  Hi:  This  experiment  is  the  same  as  Ho  except  in  the  manner  in  which  the  key  queries 
of  the  adversary  are  answered.  Let  {x±j, . . . ,  xn.7}j=1  <-  M  be  the  challenge  messages.  Then, 
whenever  the  adversary  makes  a  key  query  /,  we  perform  the  following  steps: 

•  Query  the  trusted  party  TP  on  function  /.  For  every  £  [9],  the  trusted  party 

computes  and  returns  the  function  output  out[ji, ...  ,jn]  =  f(x\:j1, . . .  ,xnjn). 

•  Compute  the  secret  key  SK y  for  function  /  as  SK y  ■£-  *0(Sim.Gy),  where  Sim. Gy  is  as 
described  in  Figure  [2j 

For  every  i  £  [n],  j  £  [9],  let  CT,;J  =  (c)’J ,  .  7r*,J)  denote  the  challenge  ciphertext  computed 

by  the  experiment.  Then,  note  that  Sim. Gy  has  the  master  secret  key  MSK,  the  ciphertext  pairs 
{Sf1  and  the  outputs  {out[ji, . . .  ,jn ]}  hardwired  in  it. 

Hybrid  H2:  This  experiment  is  the  same  as  Hi  except  that  the  setup  algorithm  computes  the 
commitments  {Zf-1}  in  the  following  manner:  let  the  challenge  ciphertext  CT jj  =  (c\’J ,  cf1 , 7 
Then,  Zlf*  ■<—  Qom(cY  \\c^ ) . 

Hybrid  H3:  This  experiment  is  the  same  as  H2  except  that  in  every  challenge  ciphertext 
CT  id  =  (cfJ ,  cf3 , 7riJ),  the  proof  string  7pJ  is  computed  using  the  trapdoor  witness. 

Hybrid  H4:  This  experiment  is  the  same  as  H3  except  that  the  setup  algorithm  computes 
every  Z\  as  a  commitment  to  1  (instead  of  0).  That  is,  for  every  i  £  [n],  Z ■<—  Com(l). 
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Hybrid  H5:  This  experiment  is  the  same  as  H4  except  that  in  every  challenge  cipher- 

text  CT ij  =  (c^,  Sf ,  P1'3)-  the  second  ciphertext  cf3  is  an  encryption  of  zeros,  i.e.,  &f3  4— 

FE.Enc(EKj,  0fe). 

Hybrid  H6:  This  experiment  is  the  same  as  H5  except  that  for  every  key  query  /,  the 
corresponding  secret  key  SK/  is  computed  as  SK /  4—  iC^Sim.G^)  where  Sim.G^  is  the  same  as 
the  function  Sim.G/  except  that: 

1.  It  has  secret  key  sk2  hardwired  instead  of  ski. 

2.  It  decrypts  the  second  component  of  each  input  ciphertext  using  sk2.  More  concretely,  in 
step  1(c),  plaintext  x\  is  computed  as  x\  4—  PKE.Dec(sk2,  C/2)- 

Hybrid  H7:  This  experiment  is  the  same  as  Hg  except  that  in  every  challenge  cipher- 

text  CT ij  =  {i?{3 ,  c1^3  ,Tr1’3),  the  first  ciphertext  CiJ  is  an  encryption  of  zeros,  i.e.,  &{3  ■£- 

FE.Enc(EK,,  0fe). 


Hybrid  H8:  This  experiment  is  the  same  as  FI7  except  that  for  every  key  query  /,  the 
corresponding  secret  key  SK/  is  computed  as  SK/  4-  iC^Sim.G/).  Note  that  this  is  the  ideal 
world  experiment. 

This  completes  the  description  of  the  hybrid  experiments.  We  note  that  the  proof  of  in- 
distinguishability  of  the  hybrid  experiments  described  above  bear  much  similarity  to  the  proof 
of  IND  security  (Section  4.1).  Therefore,  to  avoid  repetition,  below  we  only  focus  on  the  key 


hybrids  that  differ  from  the  IND  security  case.  Specifically,  below,  we  prove  indistinguishability 
of  hybrid  experiments  Hq  and  Hi,  and  then  H5  and  Hg.  For  details  on  the  rest  of  the  proof,  see 
Appendix  [A] 


Lemma  40  (Ho  =  Hi).  Assuming  that  iO  is  an  indistinguishability  obfuscator,  the  outputs  of 
experiments  Hq  and  Hi  are  computationally  indistinguishable. 


Proof.  We  prove  the  lemma  for  the  simplified  case  where  the  adversary  makes  a  single  key  query 
/.  By  a  standard  hybrid  argument,  the  proof  can  be  easily  extended  to  the  more  general  case 
where  the  adversary  makes  poly(fc)  number  of  key  queries. 

Now,  note  that  the  only  difference  between  Ho  and  Hi  is  the  manner  in  which  the  secret 
key  SK/  for  the  key  query  /  is  computed:  in  experiment  H0,  SK/  is  an  indistinguishability 
obfuscation  of  G /,  while  in  Hi,  SK/  is  an  indistinguishability  obfuscation  of  Sim.G/.  Now,  if 
G /  and  Sim.G/  have  the  same  output  behavior  on  all  input  points,  then  the  computational 
indistinguishability  of  Ho  and  Hi  follows  immediately  from  the  indistinguishability  of  iO(Gf) 
and  iC^Sim.G/).  Thus,  all  that  remains  to  prove  is  that  for  all  inputs  z,  G f(z)  =  Sim.G/(z). 

Towards  that  end,  let  {CTi/, . . . ,  CTn./}4=1  denote  the  challenge  ciphertexts  computed 

in  experiments  Hi  and  H2,  where  every  CT,  /  =  (c\'3 ,  (if ,  We  say  that  an  input  z  = 

(CTi, . . . ,  CT„)  to  G/  and  Sim.G  /  is  special  if  for  every  CT  *  =  (0^1,0^2,77*): 

•  The  proof  7r*  is  accepting,  and 

•  There  exists  ji  £  \q\  s.t.  c*,i  =  Ci3'  and  =  Sf3' ■ 

Further,  we  call  (j  1, . . .  ,jn)  to  be  the  “index  set”  of  z. 

Now  note  that  the  only  difference  between  the  functions  G /  and  Sim.G/  is  that  on  a  special 
input  z  with  index  set  (ji, . . .  ,jn),  Sim.G/  skips  the  usual  decryption  step  and  directly  outputs 
the  value  out[ji, . . .  ,jn]  hardwired  in  its  description.  Recall  that  (by  definition)  out[ji, . . . ,  jn]  = 
f(xi,jii  ■  ■  ■  1  xn.j.n )  where  {xij, . . .  ,a ’n,j}<j=±  denote  the  challenge  messages.  However,  on  such 
an  input  z,  by  performing  the  decryption  step,  G /  obtains  the  messages  (i/j, , . . .  ,xnjn)  and 
therefore  its  output  is  f(xiij1, . .  ■ ,  a as  well.  □ 
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Lemma  41  (H5  =  Hg).  Assuming  that  iO  is  an  indistinguishability  obfuscator,  Com  is  perfectly 
binding,  and  (CRSGen,  Prove,  Verify)  is  a  proof  system,  the  outputs  of  experiments  H5  and  He 
are  computationally  indistinguishable. 


Proof.  We  prove  the  lemma  for  the  simplified  case  where  the  adversary  makes  a  single  key  query 
/.  By  a  standard  hybrid  argument,  our  proof  can  be  easily  extended  to  the  more  general  case 
where  the  adversary  makes  poly(fc)  number  of  key  queries. 

Now,  note  that  the  only  difference  between  H5  and  H6  is  the  manner  in  which  the  secret 
key  SK/  for  the  key  query  /  is  computed:  in  experiment  H5,  SK /  is  an  indistinguishability 
obfuscation  of  Sim. Gy,  while  in  He,  SK/  is  an  indistinguishability  obfuscation  of  Sim.G/.  Now,  if 
Sim.G/  and  Sim.G/  have  the  same  output  behavior  on  all  input  points,  then  the  computational 
indistinguishability  of  H5  and  Hg  follows  immediately  from  the  indistinguishability  of  zO(Sim.G /) 
and  iC^Sim.G/).  Thus,  all  that  remains  to  prove  is  that  for  all  inputs  z ,  Sim.G/(z)  =  Sim.G^(z). 

Towards  that  end,  we  first  assume  without  loss  of  generality  that  the  encryption  scheme 
PKE  =  (PKE. Setup,  PKE.Enc,  PKE. Dec)  does  not  have  any  decryption  error.  We  make  the 
following  claim: 

Claim  42.  For  any  input  z,  Sim.G/(^)  =  T  iff  Sim.G/fT)  =  _L. 

Proof.  Let  2  =  (CTi, . . . ,  CT„)  be  any  input  to  Sim.G/  and  Sim.G/.  For  every  i  £  [n],  let 
CTi  =  (c^i,  Cit2, 7Tj).  Note  that  both  Sim.G/  and  Sim.Gj  output  _L  on  input  z  iff  there  exists 
i  £  [n]  such  that  Verify(crs,  t/j,7Tj)  =  0,  where  yt  =  (c/i,  Cj,2,  pkl5  pk2,  {Z[’3},  Z\)  is  the  statement 
corresponding  to  the  NIWI  proof  7 q.  The  claim  immediately  follows.  □ 

Following  the  above  claim,  we  shall  call  an  input  z  to  Sim.G/  and  Sim.G/  to  be  a  valid  input 
if  Sim.G/(z)  yf  _L  (and  Sim.Gj(z)  yf  _L).  We  make  the  following  claim  regarding  valid  inputs: 

Claim  43.  Let  {CT ij, . . . ,  CT„;/}j=  denote  the  challenge  ciphertexts  given  to  the  adversary, 
where  every  CT =  (c\’J ,  cf3,  tt’’’3).  Let  z  =  (CTl5 . . . ,  CT„)  denote  a  valid  input  to  Sim.G/  and 
Sim.G/.  Then,  for  every  CTi  =  (c/i,  Cy 2,  n’i),  there  exists  ji  £  [g]  s.t.  Cj,i  =  cf3'  and  Cj,2  =  Sf3'  ■ 

Proof.  Suppose  that  the  claim  is  false.  That  is,  for  a  valid  input  2  =  (CTi, . . . ,  CTn),  3  CT,  = 
(c*,i,Ci,2,7Ti)  s.t.  V  j  £  [g],  either  C/i  yf  cf3  or  c/ 2  cf3 .  Now,  since  z  is  a  valid  input, 
we  have  that  Verify(crs,  yi,  7Ti)  =  1,  where  yt  =  (cjp,  0^2,  pkl5  pk2,  {Z\3},  Zlf)  is  the  statement 
corresponding  to  the  NIWI  proof  7iy.  Then,  since  (CRSGen,  Prove,  Verify)  is  a  statistically  sound 
proof  system,  it  follows  that  the  statement  yi  must  be  true.  We  consider  the  following  two  cases: 

Case  1:  The  ciphertexts  c/i  and  C/2  are  encryptions  of  the  same  message  and  there  exists 
randomness  rl2  s.t.  Z2  •<—  Com(0;r2).  However,  note  that  in  experiments  H5  and  Hg,  Z\  is 
computed  as  a  commitment  to  1.  Since  Com  is  a  perfectly  binding  commitment  scheme, 
we  obtain  a  contradiction. 

Case  2:  3 j  £  [g]  and  randomness  r\3  such  that  Z\’3  =  Com(ci,i||cij2; However,  note  that 
in  experiments  H5  and  Hg,  Z\3  is  computed  as  a  commitment  to  c{J\\cf3 .  Since  Com  is 
a  perfectly  binding  commitment  scheme  and  either  C/i  yf  c{3  or  2  yf  cf3 ,  we  obtain  a 
contradiction. 

This  completes  the  proof  of  the  above  claim.  □ 


Completing  the  proof  of  Lemma  \ 41J  Following  Claim  |42[  we  only  need  to  prove  that  for  every 
valid  input  z,  Sim.G/(z)  =  Sim.Gf  (z).  Now,  let  z  =  (CTi, . . . ,  CTn)  be  any  valid  input  to 


we  have  that  for  every  i  £  [n], 


Sim.G/  and  Sim.G/.  From  Claim  49 
that  CTi  =  Ci3' ,  c2 3t ,  7Ti .  Then,  note  that  on  such  an  input  z  =  (CTi,... 
and  Sim.G/  output  the  same  (programmed)  value,  i.e.,  out[ji, . . .  ,jn\. 


there  exists  ji  £  [g]  such 
CT„),  both  Sim.G/ 
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This  completes  the  proof  of  Lemma  [41] 


□ 


C  Proving  IND  Security  for  T£\\ 

We  now  prove  that  the  proposed  scheme  TE\\  is  (t,  poly(fc))-IND-secure  for  any  t  <  n  and 
arbitrary  poly(A)  number  of  message  queries.  We  will  prove  security  via  a  series  of  hybrid 
experiments  H0,...,Hg,  where  H0  (resp.,  Hg)  corresponds  to  the  real  world  experiment  with 
challenge  bit  b  =  0  (resp.,  b  =  1). 

Hybrid  H0:  This  is  the  real  experiment  with  challenge  bit  b  =  0. 

Hybrid  Hi:  This  experiment  is  the  same  as  Ho  except  that  the  setup  algorithm  computes 
a  “simulated”  CRS  for  the  simulation-sound  NIZK  proof  system,  i.e.,  the  CRS  is  computed  as 
(crs,  r)  <r-  Sim.CRSGen(lfe). 

Hybrid  H2:  This  experiment  is  the  same  as  Hj  except  that  in  every  challenge  ciphertext 
CT ij  =  (cl{J ,c 2J,7r®’J'),  n1’3  is  computed  as  a  simulated  proof,  i.e.,  tt1’3  <—  Sim.Prove(crs, r, yij) 
where  the  statement  yij  =  (c\° ,  c^7 ,  pk1;  pk2,  Zf). 

Hybrid  H3:  This  experiment  is  the  same  as  H2  except  that  for  every  i  £  N  \  I,  the  setup 
algorithm  computes  every  Zi  as  a  commitment  to  1  (instead  of  0),  i.e.,  Zi  <—  Com(l). 

Hybrid  H4:  This  experiment  is  the  same  as  H3  except  that  in  every  challenge  ciphertext 
CTM  =  (c^’J,  C23 ,  tt1’3),  the  second  ciphertext  is  an  encryption  of  the  challenge  message  xjj 
(as  opposed  to  a:°  •),  i.e.,  cf1  FE.Enc(EKj,  xjj). 

Hybrid  H5:  This  experiment  is  the  same  as  H4  except  that  for  every  key  query  /,  the 
corresponding  secret  key  SK j  is  computed  as  SK^  <-  di 0(11' j)  where  H'j  is  the  same  as  the 
function  Hf  except  that: 

1.  It  has  secret  key  sk2  hardwired  instead  of  ski. 

2.  It  decrypts  the  second  component  of  each  input  ciphertext  using  sk2.  More  concretely,  in 
step  1(c),  plaintext  x\  is  computed  as  x\  £-  PKE.Dec(sk2, Cji2). 

Hybrid  H@:  This  experiment  is  the  same  as  H5  except  that  in  every  challenge  ciphertext 
CT  i>:j  =  (c{° ,  &2° ,  the  first  ciphertext  c{°  is  an  encryption  of  the  challenge  message  xj  j  (as 

opposed  to  x^j),  i.e.,  c{°  <—  FE.Enc(EKj,  xjj). 

Hybrid  H7:  This  experiment  is  the  same  as  Hg  except  that  for  every  key  query  /,  the 
corresponding  secret  key  SK/  is  computed  as  SK/  «—  di OfHf). 

Hybrid  H8:  This  experiment  is  the  same  as  H7  except  that  the  setup  algorithm  computes 
every  Zi  as  a  commitment  to  0. 

Hybrid  Hg:  This  experiment  is  the  same  as  H§  except  that  in  every  challenge  ciphertext 
CT  itj  =  (cf1 ,  cif ,  7rlJ),  the  proof  string  tt1’3  is  computed  using  the  honest  prover  algorithm. 
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Hybrid  Hio:  This  experiment  is  the  same  as  Hg  except  that  the  setup  algorithm  computes 
an  “honest”  CRS  for  the  NIZK  proof  system,  i.e.,  the  CRS  is  computed  as  ers  t—  CRSGen(lfc). 

Note  that  this  is  the  real  experiment  with  challenge  bit  6=1. 

This  completes  the  description  of  the  hybrids.  We  now  prove  their  computational  indistin- 
guishability  via  a  series  of  lemmas. 

Lemma  44  (Hq  =  Hi).  Assuming  that  (CRSGen,  Prove,  Verify)  is  a  zero-knowledge  argument 
system,  the  outputs  of  experiments  Hn  and  Hj  are  computationally  indistinguishable. 

Proof.  This  follows  immediately  from  the  fact  that  the  distributions  {CRSGen(lfc)}  and  {Sim.CRSGen(lfe)} 
are  computationally  indistinguishable.  □ 

Lemma  45  (Hi  =  Hg).  Assuming  that  (CRSGen,  Prove,  Verify)  is  a  zero-knowledge  argument 
system,  the  outputs  of  experiments  Hi  and  H2  are  computationally  indistinguishable. 

Proof.  Recall  that  the  only  difference  between  Hi  and  Hg  is  the  manner  in  which  the  proof 
strings  Ttl’J  in  challenge  ciphertexts  CT.;j  are  computed:  in  Hi,  every  tt1,0  is  computed  honestly 
using  the  witness,  while  in  Hg,  tt1’3  is  a  simulated  proof  computed  using  the  simulator  for  the 
NIZK  argument  system.  Then,  by  a  standard  hybrid  argument,  the  indistinguishability  of  Hg 
and  H3  follows  from  the  zero-knowledge  property  of  the  NIZK  argument  system.  □ 

Lemma  46  (H2  =  H3).  Assuming  that  Com  is  a  computationally  hiding  commitment  scheme, 
the  outputs  of  experiments  H2  and  H3  are  computationally  indistinguishable. 

Proof.  Recall  that  the  only  difference  between  Hg  and  H3  is  the  manner  in  which  the  commitment 
{.Z.;}iei\i\i  are  computed:  in  Hg,  every  Zi  is  a  commitment  to  0,  while  in  H3,  Z,  is  a  commitment 
to  1.  Further,  note  that  the  randomness  used  to  compute  Z  is  not  used  anywhere  else  in 
the  experiment.  Then,  the  indistinguishability  of  H2  and  H3  follows  immediately  from  the 
computational  hiding  property  of  Com.  □ 

Lemma  47  (H3  =  H4).  Assuming  that  PKE  =  (PKE. Setup,  PKE.Enc,  PKE.Dec)  is  a  semantically- 
secure  public-key  encryption  scheme,  the  outputs  of  experiments  H3  and  H4  are  computationally 
indistinguishable. 

Proof.  Recall  that  the  only  difference  between  H3  and  H4  is  the  manner  in  which  the  second 
ciphertexts  cf3  in  the  challenge  ciphertexts  CTj j  are  computed:  in  H3,  cf3  is  an  encryption  of 
the  challenge  message  x®  •,  while  in  H4,  c If3  is  an  encryption  of  xjj.  Further,  note  that  nether 
the  randomness  sf1  used  to  compute  cf3  nor  the  secret  key  skg  is  used  anywhere  else  in  the 
experiment.  Then,  by  a  standard  hybrid  argument,  the  indistinguishability  of  H3  and  H4  follows 
from  the  semantic  security  of  PKE.  □ 

Lemma  48  (H4  =  H5).  Assuming  that  di O  is  a  differing-inputs  obfuscator,  Com  is  perfectly 
binding  and  (CRSGen,  Prove,  Verify)  is  simulation-sound,  the  outputs  of  experiments  H4  and  H5 
are  computationally  indistinguishable. 

Proof.  We  prove  the  lemma  for  the  simplified  case  where  the  adversary  makes  a  single  key  query 
/.  This  query  could  either  be  made  by  adversary  _4i  or  Vb-  In  the  former  case,  we  refer  to  / 
as  a  non-adaptive  key  query,  while  in  the  latter  case,  we  refer  to  it  as  an  adaptive  key  query. 

We  remark  that  by  a  standard  hybrid  argument,  the  proof  can  be  easily  extended  to  the  more 
general  case  where  the  adversary  makes  poly (k)  number  of  (non-adaptive  and  adaptive)  key 
queries. 

Now,  note  that  the  only  difference  between  H4  and  H5  is  the  manner  in  which  the  secret  key 
SK f  for  the  key  query  /  is  computed:  in  experiment  H4,  SK f  is  a  differing-inputs  obfuscation  of 
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77/,  while  in  H5,  SK  /  is  a  differing- inputs  obfuscation  of  77/.  It  follows  that  if  there  exists  a  PPT 
adversary  A  that  distinguishes  between  the  outputs  of  H4  and  H5  with  non-negligible  probability, 
then  we  can  construct  a  PPT  adversary  A!  that  distinguishes  between  d\0(jHf)  and  di 0(77/) 
with  non-negligible  probability.  Then,  it  follows  from  Definition  [9]  that  for  such  an  adversary 
A! ,  there  exists  a  PPT  extractor  algorithm  E  that  on  input  (77/,  77/)  outputs  an  input  value  z* 
such  that  7if(z*)  7^  77/ (z*).  We  will  use  E  to  contradict  the  simulation-soundness  property  of 
the  NIZK  argument  system  (CRSGen,  Prove,  Verify). 

Towards  that  end,  let  2*  =  (CT*, . . , ,  CT* ),  where  for  every  i  £  [n],  CT*  =  (c*1;  c*2, 7r*). 
Without  loss  of  generality,  we  assume  that  every  proof  string  7r*  is  accepting.  This  is  because 
otherwise  from  the  definition  of  77/  and  ' H /,  we  have  that  77/(2*)  7^  77/(2*).  We  make  the 
following  claim  about  the  input  z* . 

Claim  49.  Let  {CTp/, . . . ,  CTn  j}j=1  denote  the  challenge  ciphertexts  in  experiments  H3  and 
H4,  where  every  CT(J  =  {c{3 ,  c2° ,  7pJ).  Then,  there  exists  i  £  [n],  CT*  =  (c*  1,ct  in  z* 
such  that  one  of  the  following  two  cases  holds: 

Case  1:  If  i  £  l,  then  c*  1  and  c*2  are  encryptions  of  different  messages,  and  for  every  j  £  [g], 
either  c*  4  7^  c{3  or  c*2  7^  c2  ■ 

Case  2:  If  i  £  N  \  I,  then  for  every  j  £  [g] ,  either  c* :  /  c{3  or  c*  2  7^  c2J . 

Proof.  Suppose  that  the  claim  is  false.  That  is,  the  input  z*  =  (CT4, . . . ,  CT*)  output  by  E  is 
such  that: 

Condition  A:  For  every  i£  I,  CT*  =  (c*  1;  c*2, 7r*)  is  such  that: 

1.  Either  there  exists  ji  £  [g]  such  that  c*  x  =  cl{3i  and  c*2  =  c20i ,  or 

2.  c*  1  and  c*2  are  encryptions  of  the  same  message.  Let  x\  denote  this  message. 

Condition  B:  For  every  i  £  N\I,  CT*  =  (c*  1?  c*2,  n*),  there  exists  ji  £  [g]  such  that  c* =  c‘f3i 
and  c*  2  =  c23' . 

Let  us  now  inspect  the  outputs  of  77/  and  77^  on  the  input  z* .  We  have  that: 

«/(**)  =  /(({ PKE.Dec  (sk1; C4,,7i)  }  >  {PKE.Dec  (sk^)}.^)  , 

^/(^)  =  /(({PKE'DeC  (sk2,C^)  };eNXI  ,  {PKE-Dec  (sk2,C*2)}.£l^, 

where  for  I  £  [2],  ^jPKE.Dec  ^ske,clf3i^  j  ^  ,  j  PKE.Dec  ^sk/,  c*^j  j  ^  denotes  the  “ar¬ 
rangement”  of  the  values  jPKE.Dec  ^sk/,C/'7<^  j  ,  j  PKE.Dec  (skf,c*^  j  according  to 

their  input  positions  in  /.  Now,  let  I'  C  I  be  such  that  for  every  i  £  Y,  CT*  =  (c*  j ,  c*  2 , 7r* ) 
satisfies  the  condition  A(2).  Thus,  for  every  i  £  I \ I' ,  CT*  =  (c*  l5  c*2, 7r*)  satisfies  the  condition 
A(l).  Then,  we  have: 


=  f  (({*?,* }ieN\i'  ;  n'f(z*)  =  /  (({*i,ji}i6N\i'  > 


where  X°  =  {x°  j, ... ,  x°  j}®=1  and  X1  =  {x{  •, . . . ,  £* j}?=1  are  the  challenge  messages. 

Now,  regardless  of  whether  /  is  a  non-adaptive  or  adaptive  key  query,  it  follows  from  the 
I-Compatibility  property  in  the  IND-security  definition  (see  Definition[3j)  that  77/(2*)  =  77/(2*), 
which  is  a  contradiction.  □ 
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Completing  the  proof  of  Lemma\^8\  Following  the  above  claim,  fix  CT*  =  (c*1;c*2, 7r*)  in  z*  to 
be  such  that  either  Case  1  or  Case  2  holds.  Let  y*  =  (c*1,c*2,pk1,pk.2,Zi)  be  the  statement 
corresponding  to  the  proof  string  n*.  Further,  let  be  the  statement  corresponding  to  the 
proof  string  7r*J  in  challenge  ciphertext  CT,  j  =  (clf3,  c23 , 

We  consider  Case  1  and  Case  2  separately. 

Case  1.  Since  c*  x  and  c*2  are  encryptions  of  different  messages,  we  have  that  the  statement 
y*  is  false.  Further,  since  for  all  j  £  [q],  either  c*  1  7^  c{3  or  c*2  7^  c23 ,  we  have  that  y*  7^  iji j. 
Then,  we  have  that  the  output  z*  of  the  extractor  algorithm  E  includes  an  accepting  proof 
for  a  new,  false  statement  y*.  This  contradicts  the  simulation-soundness  property  of  the  NIZK 
argument  system  (CRSGen,  Prove,  Verify). 

Case  2.  Since  Zi  is  computed  as  a  commitment  to  1  in  experiments  H3  and  H4,  it  follows  from 
the  perfect  binding  property  of  Com  that  the  statement  y*  is  false.  Further,  since  for  all  j  £  [q], 
either  c*  1  7^  c{ 3  or  c*  2  7^  c23 ,  we  have  that  y*  7^  ijij .  Then,  we  have  that  the  output  z*  of  the 
extractor  algorithm  E  includes  an  accepting  proof  for  a  new,  false  statement  y* .  This  contradicts 
the  simulation-soundness  property  of  the  NIZK  argument  system  (CRSGen,  Prove,  Verify).  □ 


Lemma  50  (H5  =  Hg).  Assuming  that  PKE  =  (PKE. Setup,  PKE.Enc,  PKE.Dec)  is  a  semantically- 
secure  public-key  encryption  scheme ,  the  outputs  of  experiments  Hg  and  Hg  are  computationally 
indistinguishable. 


Proof.  The  proof  follows  in  the  same  manner  as  Lemma  [47j  □ 

Lemma  51  (Hg  =  H7).  Assuming  that  di O  is  a  differing-inputs  obfuscator,  Com  is  perfectly 
binding  and  (CRSGen,  Prove,  Verify)  is  simulation-sound,  the  outputs  of  experiments  Hg  and  H7 
are  computationally  indistinguishable. 


Proof.  The  proof  follows  in  the  same  manner  as  Lemma  48 


□ 


Lemma  52  (H7  =  Hs).  Assuming  that  Com  is  a  computationally  hiding  commitment  scheme, 
the  outputs  of  experiments  H7  and  Hs  are  computationally  indistinguishable. 


Proof.  The  proof  follows  in  the  same  manner  as  Lemma  |46j  □ 

Lemma  53  (H§  ee  Hg).  Assuming  that  (CRSGen,  Prove,  Verify)  is  a  NIZK  argument  system,  the 
outputs  of  experiments  Hs  and  Hg  are  computationally  indistinguishable. 


Proof.  The  proof  follows  in  the  same  manner  as  Lemma  [45j  □ 

Lemma  54  (Hg  =  H10).  Assuming  that  (CRSGen,  Prove,  Verify)  is  a  NIZK  argument  system, 
the  outputs  of  experiments  Hg  and  H10  are  computationally  indistinguishable. 


Proof.  The  proof  follows  in  the  same  manner  as  Lemma  [44) 


□ 


D  N A- SIM -secure  MI-FE 

NA-SIM  security  for  multi-input  FE  is  defined  similarly  to  definition  [4j  except  that  now  the 
adversary  is  required  to  make  key  queries  before  (as  opposed  to  after)  choosing  the  challenge 
messages.  More  concretely,  we  define  (t,p,  q)-NA-SIM-secure  functional  encryption  where  (as 
earlier)  t  denotes  the  number  of  encryption  keys  known  to  the  adversary  and  q  denotes  the 
number  of  challenge  messages  per  encryption  key.  The  new  parameter  p  denotes  the  total 
number  of  non-adaptive  key  queries  by  the  adversary.  Below,  we  present  the  formal  definition. 
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Definition  55  (NA-SIM  Security).  We  say  that  a  functional  encryption  scheme  FZ  for  n-ary 
functions  T  is  (t,p,  q^-NA-SIM-secure  if  for  every  PPT  adversary  A  =  (Aq,  Ai,  A2),  there  exists 
a  PPT  simulator  S  =  (<S>oi £2)  such  that  the  outputs  of  the  following  two  experiments  are 
computationally  indistinguishable: 


Experiment  REAL^£(lfc): 

Experiment  IDEAL50 (lfc): 

(I,  sto)  G-  A0{lk)  where  I  =  t 

(I,  sto)  t—  5o(lfc) 

(EK,  MSK)  g-  FE.Setup(lfe) 

(ATsti)  G-  5i(st0) 

(M,  stl)  <-  4E  ^ygen(MSK-')(sto,EKI) 

Q^iSTp(^,1.)(stij 

X  <—  Ai  where  X  =  {xij, . . . ,  xnj}^_1 

CT ij  g-  FE.Enc(EKj, x^j)  Vi  G  [n],  j  G  [q\ 
cr  i —  A'2  ( CT ,  sti ) 

Output:  (l,M,X,  {ge},a) 

Output:  (I,A4,X,{fe},a) 

where  {f(}  denote  the  queries  of  A±  to  FE. Keygen  and  {ge}  denote  the  functions  appearing 
in  the  queries  of  S2  to  TP  such  that  \{fe}\  =  \{gi}\  =  P-  The  oracle  TP(Ai,  •,  •)  denotes  the  ideal 
world  trusted  party  that  given  the  message  distribution  Ai,  TP  first  samples  a  message  vector 
X  -s—  M,  where  X  =  {xij, . . .  ,xnj}j=1.  It  accepts  input  queries  of  the  form  ( g ,  (j  1, . . . ,  jn)) 
and  outputs  g(x ij1 , . . . ,  xnjn ) . 
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Abstract 

Secure  multi-party  computation  (MPC)  has  been  thoroughly  studied  over  the  past  decades. 
The  vast  majority  of  works  assume  a  full  communication  pattern:  every  party  exchanges  mes¬ 
sages  with  all  the  network  participants  over  a  complete  network  of  point-to-point  channels.  This 
can  be  problematic  in  modern  large  scale  networks,  where  the  number  of  parties  can  be  of  the 
order  of  millions,  as  for  example  when  computing  on  large  distributed  data. 

Motivated  by  the  above  observation,  Boyle,  Goldwasser,  and  Tessaro  [TCC  2013]  recently 
put  forward  the  notion  of  communication  locality,  namely,  the  total  number  of  point-to-point 
channels  that  each  party  uses  in  the  protocol,  as  a  quality  metric  of  MPC  protocols.  They 
proved  that  assuming  a  public-key  infrastructure  (PKI)  and  a  common  reference  string  (CRS), 
an  MPC  protocol  can  be  constructed  for  computing  any  n-party  function,  with  communication 
locality  0( logc?r)  and  round  complexity  0(logc  n) ,  for  appropriate  constants  c  and  e! .  Their 
protocol  tolerates  a  static  (i.e.,  non-adaptive)  adversary  corrupting  up  to  t  <  (|  —  e)n  parties 
for  any  given  constant  0  <  e  <  These  results  leave  open  the  following  questions: 

(1)  Can  we  achieve  low  communication  locality  and  round  complexity  while  tolerating  adaptive 
adversaries? 

(2)  Can  we  achieve  low  communication  locality  with  optimal  resiliency  t  <  nj21 

In  this  work  we  answer  both  questions  affirmatively.  First,  we  consider  the  model  from 
[TCC  2013],  where  we  replace  the  CRS  with  a  symmetric-key  infrastructure  (SKI).  In  this 
model  we  give  a  protocol  with  communication  locality  and  round  complexity  polylog(n)  (as  in 
the  [TCC  2013]  work)  which  tolerates  up  to  t  <  n/2  adaptive  corruptions,  under  a  standard 
intractability  assumption  for  adaptively  secure  protocols,  namely,  the  existence  of  trapdoor 
permutations  whose  domain  has  invertible  sampling.  This  is  done  by  using  the  SKI  to  derive 
a  sequence  of  random  hidden  communication  graphs  among  players.  A  central  new  technique 
then  shows  how  to  use  these  graphs  to  emulate  a  complete  network  in  polylog(?r)  rounds  while 
preserving  the  polylog(n)  locality.  Second,  we  show  how  we  can  even  remove  the  SKI  setup 
assumption  at  the  cost,  however,  of  increasing  the  communication  locality  (but  not  the  round 
complexity)  by  a  factor  of  yfn. 
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1  Introduction 


Secure  multi-party  computation  (MPC  for  short)  allows  a  set  of  n  parties  to  securely  compute  any 
given  function  /  on  their  private  data.  Ensuing  the  seminal  works  in  the  area  mmmm, the 
systematic  study  of  the  problem  over  the  last  decades  has  lead  to  great  improvements  regarding 
several  efficiency  measures,  such  as  communication  complexity  (number  of  exchanged  messages), 
round  complexity,  and  computation  complexity.  Until  recently,  however,  essentially  all  MPC  results 
required  all  parties  to  communicate  directly  with  each  other  over  a  complete  network  of  point  to 
point  channels,  or  by  having  access  to  a  broadcast  channel.  While  this  requirement  may  be  harmless 
when  the  number  of  participants  is  small  compared  to  the  complexity  of  the  function  /,  it  is  highly 
problematic  in  settings  where  the  number  of  parties  is  a  dominant  factoiQ 

Communication  locality  in  MPC.  Recently,  Boyle,  Goldwasser,  and  Tessaro  [6|,  building  on 
work  by  King  et  al.  on  Byzantine  agreement  |32L  33j  [^J  introduced  a  new  efficiency  metric  called 
communication  locality  to  address  such  settings.  Informally,  the  communication  locality  of  a  pro¬ 
tocol  is  the  total  number  of  different  point-to-point  channels  that  each  party  uses  in  the  protocol. 
The  protocols  provided  in  [6]  for  the  computation  of  any  polynomial  time  function  /  achieve  a  com¬ 
munication  locality  of  polylog(n)  assuming  a  public-key  infrastructure  (PKI),  a  common  reference 
string  (CRS),  and  the  existence  of  a  semantically  secure  public-key  encryption  and  existentially  un- 
forgeable  signatures.  An  example  of  a  scenario  where  the  complexity  of  the  function  may  be  much 
smaller  than  the  number  of  parties,  is  when  securely  computing  the  output  of  a  sublinear  algorithm, 
which  takes  inputs  from  a  small  subset  of  q  =  o(n )  of  parties.  (Sublinear  algorithms  are  particularly 
useful  for  computing  statistics  on  large  populations.)  By  assuming,  in  addition  to  the  PKI  and 
semantically  secure  public- key  encryption,  the  existence  of  a  multi-signature  scheme  [351  HZ] ,  a  (cer¬ 
tifiable)  fully  homomorphic  encryption  (FHE)  0  ;8] ,  and  simulation-sound  adaptive  non-interactive 
zero- knowledge  (NIZK)  (U  [23],  the  authors  also  obtain  a  protocol  for  computing  sublinear  func¬ 
tions,  which  communicates  0{{n  +  n)  •  polylog(n))-bit  message^jand  terminates  in  polylog(n)  +  C,(gi) 
rounds. 

The  solution  of  j6],  however,  has  two  major  limitations: 

(1)  It  cannot  tolerate  an  adaptive  adversary  who  may  choose  the  parties  to  corrupt  on  the  fly  during 
the  protocol  execution;  it  only  tolerates  a  static  adversary  who  decides  on  the  faulty  parties 
prior  to  the  protocol  execution. 

(2)  It  achieves  a  sub-optimal  resiliency  of  t  <  (1/3  —  e)n  corrupted  parties,  for  any  given  constant 
0  <  e  <  1/3,  whereas  traditional  MPC  protocols  in  the  computational  setting  (without  the  low 
communication  locality  requirement)  can  tolerate  up  to  t  <  n/2  corruptions. 

Our  results.  In  this  paper,  we  first  show  that  by  replacing  the  CRS  with  a  slightly  different  setup 
assumption,  namely,  a  symmetric-key  infrastructure  (SKI)  [21]  where  every  pair  of  participants 
shares  a  uniformly  random  key  that  is  unknown  to  other  participants,  we  can  overcome  both  of 
the  above  limitations.  Specificially,  we  construct  adaptively  secure  MPC  protocols  with  commu¬ 
nication  locality  polylog(n)  tolerating  any  t  <  n/2  corruptions.  (As  mentioned  above,  this  is  the 
optimal  number  of  corruptions  that  can  be  tolerated,  even  in  the  complete  communication  setting 
without  the  extra  requirement  of  communication  locality  [261  [13].)  Looking  ahead,  we  will  show 

1  Interestingly,  recent  implementation  results  report  remarkable  performance  of  the  state-of-the-art  solutions  for 
small  instances  of  the  problem  such  as  three-party  computation  [5]  or  in  a  lab  environment  when  broadcast  is  assumed 
for  free  (e.g.,  [HUMIS!  El  Era). 

2  [32j  [33]  in  fact  achieve  “almost-everywhere”  Byzantine  agreement  [22] ,  which  does  not  guarantee  that  all  honest 
players  will  receive  an  output  (see  “Other  related  work”  below). 

3k  is  the  security  parameter. 
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how  the  SKI  can  be  interpreted  as  a  special  type  of  random  initial  communication  graph  which 
dictates  which  pairs  of  players  can  send  point-to-point  messages  to  each  other  to  start  with.  The 
graph  is  shared  but  “hidden:”  each  player  will  only  know  the  restricted  subset  of  polylog(n)  players 
it  can  send  messages  to  and  receive  messages  fromj^j 

Next,  we  show  that  we  can  remove  the  additional  SKI  assumption  at  the  cost  of  increasing 
the  communication  locality  by  a  factor  of  y/n.  Both  our  constructions  assume  the  existence  of  a 
family  of  trapdoor  permutations  which  has  a  reversed  domain  sampler  nsi  [25].  This  is  the  weakest 
known  general  assumption  which  is  sufficient  for  non- committing  encryption  mum,  and  thus 
for  adaptively  secure  MPC  over  non-private  channels.  Such  families  are  known  to  exists  under 
standard  number-theoretic  assumptions  such  as  the  hardness  of  the  decisional  Diffie-Hellmann 
problem  (DDH)  or  the  RSA  assumption  [18]. 

We  remark  that  in  order  to  circumvent  the  shortcomings  in  [B]  we  need  to  develop  new  and 
quite  different  techniques,  as  the  limitations  to  sub-optimal  resiliency  and  non-adaptive  adversaries 
seem  to  be  inherent  in  ther  approach.  This  can  be  seen  as  follows.  In  [6],  the  parties  elect  n  input 
committees  C i, . . .  ,Cn,  as  well  as  one  “supreme”  committee  C — all  of  size  polylog(n) — in  a  way  that 
ensures  that  (with  high  probability)  at  least  a  2/3  fraction  of  the  parties  in  each  committee  are 
honest.  Each  protocol  message  of  party  pi  is  then  secret-shared  to  committee  Cj,  which  re-shares 
it  to  the  parties  of  the  supreme  committee  C.  Subsequently,  the  members  of  C  compute  the  output 
of  the  given  function  on  the  shared  inputs  and  return  it  to  the  users  (by  sharing  it  to  the  input 
committees,  which  then  reconstruct  to  their  associated  input  parties).  All  sharings  are  private  and 
robust  so  long  as  the  adversary  does  not  corrupt  more  than  1/3  of  a  committee  members. 

Clearly,  the  above  cannot  work  if  the  adversary  is  allowed  to  adaptively  corrupt  parties  de¬ 
pending  on  his  view  of  the  election  process.  Such  an  adversary  might  choose  to  corrupt  more 
than  a  1/3  fraction  of  the  parties  in  some  committed  and  thus  violate  the  privacy  of  the  protocol. 
Furthermore,  even  for  a  static  adversary,  the  above  approach  cannot  yield  an  optimally  resilient 
(i.e. ,  t  <  n/2)  protocol,  as  an  adversary  who  non-adaptively  corrupts  |~n/2~|  —  1  of  the  parties  has 
a  noticeable  probability  of  corrupting  1/3  (or  even  1/2)  of  the  parties  in  some  committee. 

Interestingly,  we  note  that  under  the  additional  assumptions  of  FHE  and  multi-signatures,  [6] 
obtains  better  communication  complexity  for  computing  sublinear  algorithms  than  directly  applying 
our  approach.  Improving  the  communication  complexity  of  our  protocols  is  an  enthralling  direction 
for  future  research. 

Other  related  work.  Our  result  should  be  contrasted  with  the  work  of  Dani  et  al.  [20],  which 
provides  MPC  in  the  information-theoretic  setting  assuming  perfectly  private  communication  chan¬ 
nels  with  communication  complexity  of  0(y/n),  but  only  offers  security  against  a  static  adversary 
and  t  <  n/3  corruptions.  For  the  problem  of  Byzantine  agreement  (BA),  King  and  Saia  [31]  show 
how  to  construct  a  protocol  that  is  secure  against  adaptive  corruptions,  and  where  the  communi¬ 
cation  complexity  of  every  party  is  O(n).  This  leads  to  a  BA  protocol  with  0{n)  communication 
locality;  however,  their  protocol  only  tolerates  t  <  (^  —  e)n  corruptions  (and  is  specific  to  Byzantine 
agreement). 

Another  related  body  of  work  is  on  conducting  Byzantine  agreement  and  MPC  when  players  are 
not  connected  via  a  point-to-point  network  but  rather  via  a  sparse,  public  network.  This  has  been 
studied  both  in  the  context  of  BA  [221 00]  [12l  [13]  and  of  MPC  [2H  E2]  [33] .  These  results  inevitably 
only  achieve  the  so  called  almost- everywhere  versions  of  the  problems,  as  the  protocols  “give  up” 
a  number  x  =  u;(l)  of  honest  parties  (and  provide  no  guarantees  for  them).  The  interested  reader 

4In  fact,  one  may  alternatively  state  our  setup  as  having  the  players  share  an  initial  hidden  random  graph,  and 
our  result  as  a  reduction  from  this  setup. 

5Recall  that  the  adversary  has  a  linear  corruption  “budget”  t  <  (1/3— e)n  and  the  committees  are  of  size  polylog(n). 
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may  refer  to  Appendix  [A]  for  a  short  survey  of  the  corresponding  literature. 

1.1  Overview  of  our  results  and  techniques 

In  this  paper  we  establish  the  feasibility  of  secure  multiparty  computation  with  low  (i.e.,  polylog(n)) 
communication  locality  both  for  static  and  for  adaptive  adversaries  corrupting  any  t  <  n/2  parties. 
Our  constructions  assume  a  PKI  and  a  symmetric- key  infrastructure  (SKI — see  details  below). 
Furthermore,  our  protocols  have  polylog(n)  round  complexity.  In  more  detail,  we  show  the  following: 

Theorem  1.  Assuming  a  PKI,  an  SKI,  and  trapdoor  permutations  with  a  reversed  domain  sampler, 
there  exists  an  MPC  protocol  secure  against  an  adaptive  adversary  corrupting  up  to  t  <  n/2  parties 
and  satisfying  the  following  properties  with  overwhelming  probability: 

—  (Polylogarithmic  communication  locality)  Every  party  communicates  with  at  most  0(log1+en) 
other  parties,  for  some  constant  e  >  0. 

—  (Polylogarithmic  round  complexity)  The  protocol  terminates  after  0( log6  n)  rounds,  for  some 
constant  e'  >  0. 

Since  we  wish  to  obtain  MPC  with  guaranteed  output  delivery  for  all  honest  players,  our  bound 
on  t  <  is  optimal.  Furthermore,  if  we  do  not  wish  to  “give  up”  any  party  in  the  protocol,  then 
the  best  communication  locality  that  one  can  hope  to  attain  is  cu(logn)[^]  and  hence  our  protocols 
are  near  optimal  in  terms  of  communication  locality  as  well. 

Next,  we  show  that  we  can  completely  get  rid  of  the  SKI  setup  (while  still  guaranteeing  adaptive 
security)  at  the  cost  of  increasing  the  communication  locality  (but  not  the  round  complexity) .  That 
is,  we  show: 

Theorem  2.  Assuming  a  PKI  and  trapdoor  permutations  with  a  reversed  domain  sampler,  there 
exists  an  MPC  protocol  secure  against  an  adaptive  adversary  corrupting  up  to  t  <  n/2  parties  and 
satisfying  the  following  conditions  with  overwhelming  probability: 

—  Every  party  communicates  with  at  most  0(^/n  log1+e  n)  other  parties,  for  some  constant  e  >  0. 

—  The  protocol  terminates  after  0( loge  n)  rounds  for  some  constant  T  >  0. 

In  the  remainder  of  this  section  we  summarize  our  main  techniques  and  provide  a  high-level 
overview  of  our  MPC  construction.  Before  we  do  that,  we  describe  our  model  in  a  bit  more 
detail.  All  parties  are  connected  via  a  complete  network  of  point-to-point  channels.  For  simplicity, 
we  assume  that  the  channels  are  secure;  however,  as  we  assume  a  public- key  infrastructure  (PKI), 
these  channels  can  be  implemented  by  encryption  and  authentication  [26].  Furthermore,  we  assume 
synchronous  communication,  i.e.,  our  protocols  proceed  in  rounds  where  messages  send  in  any  round 
are  delivered  by  the  end  of  the  round.  An  adversary  can  adaptively  corrupt  t  <  n/2  parties  and 
cannot  observe  whether  or  not  two  honest  parties  communicated.  In  addition,  our  construction 
assumes  a  symmetric-key  infrastructure  (denoted  SKI),  where  every  pair  ( i,j )  of  parties  shares  a 
uniformly  random  key  skjj  E  {0, 1}K  for  some  security  parameter  At.  Note  that  there  does  not  seem 
to  be  a  direct  way  of  getting  rid  of  the  SKI  assumption  without  increasing  the  communication 
locality,  as  the  direct  approach  of  using  the  PKI  for  fair  exchange  would  require  (at  least)  a 
round  where  every  party  communicates  with  all  other  parties  to  exchange  the  pairwise  keys  keys. 
Removing  the  SKI  assumption  without  increasing  the  locality  is  an  intriguing  open  problem. 

SKI  as  a  hidden  graph  setup.  Central  to  our  results  is  a  novel  way  of  interpreting/transforming 
a  symmetric  key-infrastructure  into  a  special  type  of  setup,  which  we  refer  to  as  hidden-graph  setup 
(HG). _ 

6If  a  party  communicates  with  only  CP(logn)  parties  in  the  protocol,  then  an  adversary  can  simply  guess  these 
O(logn)  parties  (with  non-negligible  probability)  and  corrupt  them,  thereby  isolating  this  honest  party. 
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Let  G  =  (V,  E )  be  an  undirected  graph,  where  V  =  [n]  is  the  vertex  set  and  E  is  the  set 
of  edges  in  G.  In  slight  abuse  of  notation,  we  also  use  E  to  denote  the  adjacency  matrix  of 
G,  i.e.,  E(i,j )  =  E(j,i)  =  1  if  there  is  an  edge  in  G  connecting  vertices  i  and  j ;  otherwise 
E(i,j)  =  E(j,  i)  =  0.  We  let  G(n,p)  =  (V,E)  denote  the  Erdos-Renyi  random  graph  on  n  vertices 
where  for  every  i,  j  E  V,  Pr[(«,  j)  E  E\  =  p.  We  refer  to  such  a  graph  as  a  p-random  graph. 

We  say  that  the  parties  in  [n]  hold  a  hidden  p-random  graph  setup  (p-HG^j  if,  after  sampling 
G  =  G(n,p ),  every  party  i  E  [n]  is  given  his  corresponding  row  E(i,j )  for  j  E  [n]  and  no  other 
information  on  E.  Note  that  instead  of  the  naive  encoding  which  would  require  n  bits  (i.e.,  give 
each  party  the  full  vector  corresponding  to  his  row  in  E),  we  can  simply  give  each  party  i  a  vector 
r(i)  which  includes  the  parties  i  communicates  with  over  the  bilateral  secure  channel.  Thus  if  party 
i  communicates  with  q  parties,  his  p-HG  setup  will  be  of  size  g,log(n)j^] 

We  now  show  how  such  a  HG  can  be  efficiently  (and  locally)  computed  from  a  SKI:  Recall  that 
in  an  SKI  every  pair  of  parties  i  and  j  is  given  a  uniformly  random  key  sk,j.  We  use  this  key  as 
a  seed  to  a  pseudo-random  function  (PRF).  Parties  i  and  j  will  use  the  PRF  (keyed  with  sk7  ])  to 
(locally)  compute  the  random  coins  needed  to  sample  (i,j)  for  the  graph  G\  i.e.,  i  and  j  will  use 
the  output  of  the  PRF  as  coins  in  a  sampling  algorithm  which  picks  a  bit  b  to  be  1  with  probability 
p.  If  b  =  1,  then  i  and  j  will  communicate  with  each  other  directly  in  the  protocol  and  (i,j)  will  be 
an  edge  in  the  communication  graph  G.  The  security  of  the  PRF  ensures  that  the  bit  b  computed 
as  above  is  distributed  indistinguishably  from  the  output  of  the  sampling  algorithm  on  uniformly 
random  coins.  Without  loss  of  generality,  we  will  henceforth  assume  that  the  PRF  keys  that  parties 
share  can  be  used  to  sample  as  many  random  graphs  as  needed. 

Our  adaptively  secure  construction  will  make  use  of  several  (polylog(?t)-many)  independent 
HG’s.  A  sequence  of  A  many  HG’s  that  is  indistinguishable  from  a  sequence  of  £  independent 
p-HG’s  can  be  generated  as  above,  by  querying  the  PRF  on  distinct  (fixed)  inputs. 

Overview  of  our  construction.  At  the  heart  of  our  construction  lies  a  protocol  for  reliable 
message  transmission  (RMT)  in  this  communication-constrained  setting.  Such  a  protocol  allows  a 
sender  i  to  reliably  send  a  message  to  a  receiver  j.  Note  that  as  we  assume  a  completely  connected 
network,  a  trivial  way  of  implementing  RMT  would  be  for  party  i  to  use  the  point-to-point  channel 
he  shares  with  each  j  E  [n].  However,  our  goal  is  to  achieve  RMT  where  each  party  utilizes  only  a 
polylogarithmic  number  of  its  direct  point-to-point  channels.  Clearly,  in  such  a  setting  we  cannot 
allow  the  adversary  to  know  the  neighbors  of  an  honest  party  i  E  [n]  as  this  would  enable  the 
adversary  to  “cut-off”  (i.e.,  isolate)  party  i  from  the  rest  of  the  parties  by  corrupting  all  of  its 
neighbors. 

This  is  where  the  hidden-graph  setup  comes  in  handy:  Every  party  will  only  exchange  messages 
with  its  neighbors  in  this  hidden  graph  and  ignore  all  other  interfaces]^]  As  we  show,  an  adversary 
who  corrupts  up  to  any  constant  fraction  q  <  1  of  parties  cannot  make  the  length  of  the  shortest 
honest  path  between  any  two  honest  parties  to  be  greater  than  log6  (n),  for  some  e'  >  0,  except 
with  negligible  probability.  In  particular,  we  show  that  if  G'  denotes  the  graph  that  is  obtained 
by  deleting  from  G  all  parties/nodes  that  such  an  adversary  corrupts,  then  with  overwhelming 
probability,  every  two  nodes  in  G'  (i.e.,  every  two  honest  parties)  are  connected  (in  G')  by  a  path  of 
length  at  most  log6  n.  Thus,  parties  can  achieve  RMT  by  simply  “flooding”  the  network;  i.e.,  party 
i  will  simply  send  message  m,  signed  under  its  signing  key,  to  all  its  neighbors;  then,  for  log6  (to) 

'Throughout  this  paper  we  only  consider  p  =  log  ^  for  some  e  >  0.  Whenever  e  is  clear  from  the  context  we 
might  omit  p  and  just  refer  to  the  setup  as  a  “(hidden)  random  graph  setup.” 

8In  our  setting  q  =  polylog(n)  with  overwhelming  probability,  thus,  we  get  that  a  hidden  graph  setup  is  also  of 
size  polylog(n). 

9Note  that  the  adversary  might  try  to  send  messages  to  honest  parties  using  all  the  corrupted  parties.  However, 
the  honest  parties  will  ignore  messages  from  all  parties  that  are  not  their  neighbors  in  their  hidden  graphs. 
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rounds,  all  parties  in  every  round,  will  simply  forward  (the  first  validly  signed)  message  that  they 
receive  to  all  its  neighbors.  Since  i  and  j  are  connected  by  a  path  of  length  N  =  loge  n  in  G1 ,  then 
after  N  rounds,  j  will  receive  at  least  one  copy  of  m  that  is  signed  under  z’s  signing  key  and  hence 
will  reliably  receive  the  message  m.  Observe  that  the  above  RMT  protocol  tolerates  any  constant 
fraction  q  <  1  of  corruptions  (i.e. ,  up  to  t  <  qn  corrupted  parties)  and  requires  a  standard  PKI  for 
digital  signatures  (in  addition  to  the  HG).  We  assume  standard  digital  signatures  secure  against 
chosen-plaintext  attacks.  Further,  since  the  message  is  guaranteed  to  reach  all  honest  parties  within 
N  rounds,  the  above  RMT  protocol  can  be  used  to  have  a  message  sent  to  all  honest  parties P*] 

Unfortunately,  the  above  approach  only  works  for  a  static  adversary.  The  reason  is  that,  while 
corrupting  parties  (even  adaptively)  and  learning  their  setup,  does  not  reveal  anything  about  the 
hidden  graph  (other  than  the  neighbors  of  corrupted  parties  themselves),  the  protocol  itself  might 
reveal  whether  or  not  ( i,j )  6  E  for  honest  parties  i ,  j  6  [n].  For  example,  if  an  adversarial  party  i 
sends  a  message  to  another  adversarial  party  j,  and  j  receives  this  message  in  3  rounds,  then  it  must 
be  the  case  that  there  exists  a  path  of  length  3  between  i  and  j .  One  might  think  that  we  can  get 
around  this  problem  by  simply  having  i  encrypt  the  message  under  j’ s  public  key;  this,  however,  is 
completely  useless  in  the  case  when  j  is  corrupted.  Another  idea  might  be  to  have  i  delay  sending 
its  message;  however,  this  too  is  useless  when  i  is  corrupted^  As  a  result,  constructing  an  RMT 
protocol  for  the  adaptive-corruption  case  ends  up  being  much  more  challenging  than  in  the  static 
case. 

The  high-level  idea  behind  the  protocol  for  the  adaptive  case  is  to  sample  a  new  Erdos-Renyi 
random  graph  G  =  G(n,p),  with  p  =  lo^  n ,  at  every  round  of  the  protocol.  As  long  as  the  total 
number  of  rounds  of  the  protocol  is  polylogarithmic,  so  will  be  the  total  number  of  point-to-point 
channels  that  an  honest  party  uses  (since  in  each  round,  every  honest  party  might  speak  to  at 
most  polylog(n) — potentially  new — neighbors).  The  intuition  for  choosing  a  different  HG  for  each 
round  is  that  any  corruptions  made  by  the  adversary  before  round  i  are  independent  of  the  graph 
selected  in  round  i  and  hence  this  would  be  equivalent  to  the  static  adversary  case.  However,  now 
proving  that  honest  parties  can  communicate  reliably  (and  that  there  exists  a  path  of  bounded 
length  between  any  two  honest  parties)  is  delicate,  constituting  the  crux  of  our  technical  result. 

Having  RMT,  the  next  step  is  to  design  the  MPC  protocol.  Recall  that  our  goal  is  a  protocol  with 
full  security  (i.e.,  including  fairness)  an  optimal  resiliency  (i.e.,  tolerating  t  <  n/2  corruptions)  [131, 
[26] .  One  idea  to  achieve  this  is  as  follows:  Since  we  have  already  established  RMT  between  any  two 
honest  parties,  we  can  invoke  any  known  MPC  protocol  n  secure  for  t  <  n/2  assuming  authenticated 
channels,  over  the  virtual  network  induced  by  RMT.  Whenever  party  i  is  instructed  in  n  to  send 
a  message  m  to  party  j .  we  invoke  RMT  for  this  purpose.  This  approach  would  give  an  MPC 
protocol  tolerating  up  to  t  <  n/2  corruptions,  but  does  work  generically  (for  any  protocol  n)  in 
combination  with  our  simulated  communication  channels. 

To  see  why,  observe  that  in  our  adaptively  secure  protocol,  an  increase  of  the  round  complexity 
implies  the  same  (asymptotic)  increase  of  the  honest  parties’  communication  locality.  Indeed,  since 
using  our  RMT,  every  party  communicates  with  0(logcn)  (potentially  new)  parties  in  every  round 
1  <  £  <  D,  we  can  only  afford  to  run  a  protocol  that  runs  in  logc  n  number  of  rounds  for  some 
d  >  0.  Thus,  in  order  for  the  above  idea  to  work  we  need  an  adaptive  MPC  protocol  over  point- 
to-point  authenticated  channels  which  terminates  in  polylog(n)  rounds.  Such  a  protocol  can  be 
obtained  by  taking  any  constant-round  MPC  protocol  that  utilizes  a  point-to-point  network  of 
secure  channels  and  a  broadcast  channel  (e.g.,  the  protocol  in  [1]),  and  modifying  it  as  follows:  (1) 

10Note,  however,  that  if  the  sender  is  corrupted,  there  is  no  guarantee  that  the  message  is  sent  consistently. 

“Note  that  we  want  to  use  RMT  for  every  pair  of  parties;  thus,  the  adversary  might  use  information  on  the  HG 
learned  in  an  execution  of  RMT  with  a  corrupted  sender  and/or  receiver  to  attack  another  RMT  with  honest  sender 
and  receiver. 
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transmission  over  the  point-to-point  secure  channels  are  emulated  by  calls  to  our  RMT  protocol 
where  the  message  is  encrypted  using  non-committing  encryption,  and  (2)  calls  to  the  broadcast 
channel  are  emulated  by  a  (randomized,  authenticated)  broadcast  protocol  which  terminates  in 
polylog(n)  rounds  (cf.  the  protocol  in  [29]). 

Remark  1  (Static  security).  Our  primary  goal  in  this  paper  is  adaptive  security.  However,  in  the 
static  security  setting  our  approach  yields  a  protocol  with  polylog(n)  locality  which  relies  only  on 
semantically  secure  public-key  encryption  and  existentially  unforgeable  signatures  (as  in  m-  The 
protocol  tolerates  an  optimal  number  of  t  <  n/2  corruptions  and  assumes  a  PKI  and  a  (single) 
hidden  graph  setupp^instead  of  the  PKI  and  CRS  assumed  in  0)- 

Finally,  we  show  (Section  [5])  how  to  avoid  the  SKI  assumption,  at  the  expense  of  an  increased 
communication  locality  (but  not  round  complexity) — cf.  Theorem  [2j  In  a  nutshell,  the  parties  will 
compute  some  kind  of  alternate  random  graph  setup  by  having  each  party  locally  decide  which  of 
his  n  point-to-point  channels  he  will  use;  a  channel  between  two  (honest)  parties  i,j  G  [n]  is  then 
used  only  if  both  parties  choose  it.  By  adequately  setting  the  probability  of  the  honest  parties’ 
decisions,  the  resulting  communication  graph  will  include  an  Erdos-Renyi  graph  which  will  allow  us 
to  use  our  ideas  from  the  SKI-based  construction,  with  a  guaranteed  0(y/nlog'5  n)  communication 
locality,  for  some  constant  5  >  0. 

2  Model,  Definitions  and  Building  Blocks 

As  already  mentioned  earlier,  we  assume  all  parties  share  a  public-key  infrastructure  (PKI)  as  well 
as  a  symmetric-key  infrastructure  (SKI).  In  other  words,  every  party  has  a  public-key,  secret-key 
pair  (for  a  digital  signature  scheme);  every  party  i  G  [n]  receives  party  j's  public-key  (for  all  j  G  [n] ) . 
In  addition,  every  pair  of  parties  i,j  G  [n]  share  a  secret  key  skjj.  Parties  are  connected  by  a  fully 
connected  synchronous  network;  however,  in  our  constructions  every  party  will  only  communicate 
with  polylog(n)  other  parties. 

We  allow  up  to  t  <  |  of  the  parties  to  be  adaptively  corrupted  by  a  rushing  adversary  (meaning 
that  the  adversary  is  allowed  to  corrupt  parties  dynamically  during  the  protocol  execution  and 
depending  on  his  view,  and  that  the  adversary  is  able  to  postpone  the  sending  of  any  given  round’s 
messages  until  after  he  receives  the  messages  from  the  honest  parties,  resp.). 

We  consider  the  standard  simulation-based  notion  of  security  for  multiparty  protocols  via  the 
real/ideal  world  paradigm.  In  other  words  (and  informally),  we  require  that  for  every  probabilistic- 
polynomial  time  adversary  A  (that  corrupts  t  of  the  parties)  in  a  real-world  execution  of  the 
protocol,  there  exists  a  corresponding  PPT  adversary  S  in  the  ideal  world  who  can  simulate  the 
output  of  A  given  only  access  to  the  ideal  world  where  S  only  learns  the  output  of  the  evaluated 
function.  We  prove  our  results  for  standalone  security.  We  refer  the  reader  to  13  ED]  for  further 
details  on  this  notion  of  security  for  multiparty  computation.  Throughout,  we  assume  that  n  >  n, 
the  security  parameter. 

Our  constructions  rely  on  the  standard  intractability  assumption  for  adaptively  secure  multi¬ 
party  protocols,  namely,  the  existence  of  a  family  of  trapdoor  permutations  with  a  reversed  domain 
sampler  HH  [25].  Informally,  these  are  trapdoor  permutations  with  an  extra  property  that  there 
exists  an  algorithm  (the  reversed  domain  sampler)  which  given  an  input  and  output  can  reconstruct 
(sample)  the  corresponding  random  bits  used  by  the  perambulation  function.  This  assumption  is 
sufficient  for  all  the  primitives  used  in  this  paper,  namely:  Pseudo-random  functions  (PRFs)  (28] . 

12Note  that,  instead  of  an  SKI,  a  single  copy  of  our  hidden  graph  can  be  represented  as  polylog(n)  bits  held  by 
each  party  corresponding  to  the  vector  of  the  indices  of  its  neighbours. 
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existentially  unforgeable  signatures  (assuming  a  PKI  setup)  [25],  constant-round  non-committing 
encryption  (informally,  this  is  encryption  which  transforms  an  authenticated  channel  into  a  secure 
one  in  the  presence  of  an  adaptive  adversary  DEI),  and  constant-round  adaptively  secure  MPC  over 
a  point-to-point  network  with  (authenticated)  broadcast  [TJ  (see  below). 

Definition  3  ( [39, 133] ) .  A  protocol  for  parties  V  =  P\,  ■  ■  ■  ,  Pn ,  where  a  distinguished  player  (called 
the  dealer)  P*  e  V  holds  an  initial  input  m,  is  a  broadcast  protocol  tolerating  t  malicious  parties  if 
the  following  conditions  hold  for  any  adversary  controlling  at  most  t  parties: 

—  Agreement:  All  honest  parties  output  the  same  value  v. 

-  Validity:  If  the  dealer  is  honest,  then  v  =  m. 

Broadcast  protocols  that  assume  a  public-key  infrastructure  are  usually  termed  authenticated. 

We  also  make  use  of  the  following  fact  about  expected-constant-round  broadcast  and  Byzantine 
agreement  protocols,  implicit  in  [29] . 

Theorem  4  (|29|).  Assuming  a  PKI,  there  exists  a  protocol  IIBC  which  achieves  broadcast  with 
overwhelming  probability  against  t  <  to/ 2  adaptive  corruptions,  running  for  log1+c(n)  rounds  on  a 
complete  network,  for  some  constant  c  >  0. 

3  Reliable  Communication  in  the  Locality  Model 

In  this  section  we  prove  our  results  for  Reliable  Message  Transmission  (RMT)  between  every  pair 
of  honest  parties  in  our  communication-constrained  setting,  assuming  a  standard  PKI  (for  digital 
signatures)  as  well  as  an  SKI,  as  defined  above.  The  constructions  in  this  section  tolerate  any 
constant  fraction  of  corrupted  parties  than  what  is  required  for  fully  secure  MPC;  that  is,  we  only 
assume  that  the  number  of  corrupted  parties  in  t  <  qn ,  for  constant  q  <  1  (arbitrarily  close  to  1). 

3.1  Static  security 

We  first  show  an  RMT  protocol  that  is  secure  against  static  corruptions.  This  will  illustrate  some 
of  the  ideas  that  are  needed  for  our  adapively  secure  construction. 

Setup  phase.  Recall  that  we  work  in  a  model  in  which  parties  share  a  public- key  as  well  as  a 
symmetric-key  infrastructure.  That  is,  in  the  setup  phase,  party  i  receives  a  private  key  ski  for  a 
signature  scheme,  and  every  party  j  receives  the  public  key  vk*  corresponding  to  sk,;,  for  all  i  6  [to]  . 
The  SKI  allows  for  a  hidden  p-random  graph  setup  (p-HG),  with  p  =  — —  (for  appropriately 

chosen  e  >  0),  as  explained  above.  Note  that,  because  in  this  section  we  assume  only  a  single 
shared  hidden  graph,  it  is  sufficient  (in  fact  equivalent)  that  the  keys  in  the  SKI  are  one-bit  long. 

Construction  idea.  The  hidden  graph  setup  ensures  that  the  adversary  does  not  get  to  know 
whether  party  i  communicates  with  party  j,  unless  he  corrupts  one  of  them.  We  show  that  given 
such  a  p-HG,  an  adversary  who  (non-adaptively)  corrupts  any  constant  fraction  q  of  the  parties 
cannot  isolate  any  of  the  honest  parties.  In  fact,  we  show  a  much  stronger  property  for  the  graph  G' 
formed  by  removing  (in  the  hidden  graph)  t  =  qn  corrupted  nodes;  namely,  that  with  overwhelming 
probability  (in  to),  every  pair  (i,  j)  of  honest  parties  is  connected  by  a  path  of  length  at  most 
N  =  log6  (to),  for  some  e'  >  0  which  depends  only  on  e.  Note  that  since  parties  start  with  a  PKI, 
we  only  require  that  honest  parties  i,j  £  [to]  are  connected  by  a  path  of  length  N  =  log6  (to),  for 
some  e'  >  0  in  graph  G' .  Parties  can  then  achieve  RMT  by  simply  “flooding”  the  network;  i.e. , 
party  i  will  simply  send  message  m,  signed  under  its  signing  key,  to  all  its  neighbors.  Next,  each 
party  in  every  round  simply  forwards  the  (first  validly  signed)  message  that  it  receives  to  all  of 
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its  neighbors.  A  formal  description  of  the  non-adaptively  secure  protocol  for  a  sender  i  to  reliably 
send  a  message  m  to  a  receiver  j,  denoted  by  RMTjj(m),  is  as  follows.  (Let  T(i)  denote  party  i' s 
neighbors  in  G.) 


Protocol  RMTjj^m) 

1.  Round  1:  Party  i  sends  (m,  sigsk.  (to))  to  all  nodes  in  T(i). 

2.  For  each  round  p  =  2, ,  log6  (n): 

—  For  every  party  k  £  [n]  \  {i,j}-  If  a  message  (to, a),  where  a  is  party  i’s  valid  signature 
on  to,  was  received  for  the  first  time  from  some  of  its  neighbors,  i.e.,  some  node  in  T(i),  in 
the  previous  round,  then  party  k  sends  (to,  a)  to  all  its  neighbors  and  halts.  (If  multiple 
validly  signed  pairs  were  received  in  that  round  for  the  first  time,  then  take  the  first  one  in  a 
lexicographic  order.) 

—  For  receiver  j:  If  a  message  (to,ct),  where  a  is  party  i’s  valid  signature  on  to,  is  received  for 
the  first  time  from  some  node  in  T(J)  then  output  to  and  halt.  (If  multiple  validly  signed 
pairs  are  received  in  that  round  for  the  first  time,  then  take  the  first  one  in  a  lexicographic 
order.) 

The  security  of  protocol  RMTjj(m)  (stated  in  Theorem  [7])  can  be  argued  as  follows:  If  i  and  j 
are  connected  by  a  path  of  length  N  in  G' ,  then  after  N  rounds  j  will  receive  at  least  one  copy  of  m 
that  is  signed  under  i’s  signing  key,  and  hence  will  reliably  receive  the  message  m.  Thus  we  simply 
need  to  argue  that  the  above  holds  for  some  N  =  polylog(n).  To  this  direction,  we  first  prove  the 
following  lemma,  which  implies  RMT  between  i  and  j  for  all  honest  i,  j  G  [n]. 

Lemma  5.  Let  G  =  (V,  E )  he  a  hidden  p-random  graph,  and  let  A  be  an  adversary  who  non- 
adaptively  chooses  a  set  of  parties  to  corrupt  and  by  doing  so  learns  all  their  neighbors  in  G. 
Denote  by  U  C  V  the  set  of  corrupted  nodes,  and  by  G'  the  subgraph  on  V  \U  resulting  from 
erasing  all  nodes  in  U.  If  for  some  constant  q  <  1,  \U\  <  qn  and  P  =  r  =  lug  n ,  then,  for  any 
constant  0  <  k  <  G'  is  an  expander  graph  with  edge  expansion  kd. 

Proof.  Since  each  pair  of  vertices  in  G'  is  still  connected  with  probability  p  independently  of  U,  G'  is 
a  random  graph  G((l  —  q)n,p).  Let  n'  =  (1  —  q)n  and  0  <  k  <  Then,  for  each  S  C  V'  =  V\  U, 

|  S' |  =  r  <  rj,  we  have 

eG>(S,S)  =  ^2  Xv,v'; 

veS,v’eS 

where  Xvy  is  the  indicator  whether  there  exists  an  edge  between  v  and  v' .  Then 


E[eG,(S,S)}=  Y,  mvy]  =  \S\\S\p  =  r(n' -  r)p. 
vesy&s 


By  the  Chernoff  bound, 

Pr[eG,(S,S)  <  kd\S\]  <  = 

Since  0  <  r  <  we  have 


x  2  \  rd 

1_  fcn_)  (n'-r) 
n'  —r  ) 


l  (^-*)2\ 


V  / 


rd 


1  —  q  n  n  —  r  n 

- -  =  —  <  -  <  —  =  1  -  q  <1. 
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Thus, 


For  d  =  log1+e  n,  we  have 

Pr[ec.(S,3)  <  MSI]  <  (e-7d  =  (y^)’  • 

and  by  the  union  bound,  the  probability  that  ec(S,  S )  <  kd\S\  for  some  subset  S,  |5|  <  |V’,|/2  is 
bounded  by 


where  A (to)  represents  a  function  that  is  negligible  in  to.  Therefore,  G'  is  an  expander  with  edge 
expansion  kd  with  overwhelming  probability.  □ 

The  next  corollary  follows  immediately  from  Lemma  [5j  by  using  the  fact  that  an  expander 
graph  as  above  has  polylogarithmic  diameter  except  with  negligible  probability.  We  make  use 
of  the  following  intuitive  terminology:  for  a  given  graph  G  =  ( [to] ,  E)  we  say  that  two  parties  i 
and  j  in  [n]  are  G-connected  by  an  honest  path  of  length  I  if  there  exists  a  sequence  of  connected 
nodes  PATH(i,  j)  from  i  to  j  in  G  such  that  for  every  node  k  G  PATH(i,j),  node  k  is  honest,  and 
|PATH(z,j)|  =£. 

Corollary  6.  Let  e  >  0 ,  p  =  los^  n ,  and  G  be  a  hidden  p-random  graph.  For  any  adversary  who 
(non- adaptively)  corrupts  at  most  t  =  qn  parties,  the  following  holds  except  with  negligible  (in  n) 
probability:  there  exists  some  e'  >  0  which  depends  only  on  e  such  that  any  two  honest  parties  are 
G-connected  by  an  honest  path  of  length  at  most  loge  (n). 

The  security  of  protocol  RMTj  j(m)  follows  now  easily  from  the  above  corollary,  as  no  matter 
how  the  (static)  adversary  chooses  the  corrupted  parties  he  cannot  increase  the  diameter  of  the 
graph  defined  by  the  honest  parties  and  the  hidden  graph  setup  to  more  than  polylog(n). 

Theorem  7.  Let  0  <  q  <  1.  and  T  C  [n]  be  the  set  of  (non- adaptively)  corrupted  parties, 
\T\  =  t  <  qn.  Assuming  a  PKI  and  an  SKI,  then  RMT.jj  is  a  secure  RMT  protocol  between  any 
two  honest  nodes  i,j  G  [n]  \T  satisfying  the  following  two  conditions  with  overwhelming  probability: 

1.  Every  party  communicates  with  at  most  0(log1+en)  other  parties; 

2.  the  protocol  terminates  after  0( loge  n)  rounds,  for  some  e'  >  0. 
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Proof.  Since  Lemma  [5]  shows  that  any  message  sent  by  an  honest  i  will  reach  every  honest  j 
within  0( loge  (n))  rounds,  it  follows  from  the  unforgeability  property  of  the  signature  scheme  that 
j  will  always  accept  the  message  sent  by  honest  i.  Hence,  the  above  protocol  is  a  secure  RMT 
protocol.  The  communication  locality  of  the  protocol  follows  from  the  degree  of  G  =  G(n,p )  which 
is  0(log1+en),  except  with  negligible  probability.  □ 

Parallel  composition  of  RMT.  In  our  MPC  construction,  we  will  require  all  nodes  to  execute 
their  respective  RMT  protocols  in  parallel  (simultanesouly).  That  is,  let  rrii  j  be  the  message 
that  node  i  wishes  to  send  to  j  via  the  RMT  protocol,  denoted  RMTjj(mj  j)  as  above.  Now, 
let  RMTall(m)  denote  the  protocol  executed  by  all  parties  when  RMT ij (rriij)  for  all  i,  j  E  [n]  are 
executed  in  parallel.  (That  is,  in  round  k  of  RMTall(m),  all  parties  execute  the  Lth  round  of  protocol 
RMTjj(mjj),  for  all  i,j  E  [n]).  RMTall(-)  is  composed  of  n2  individual  RMT  protocols.  We  have 
the  following  corollary. 

Corollary  8.  For  all  honest  i,j  E  [n],  RMTall(m)  is  a  reliable  message  transmission  protocol  for 
sending  niij  from  i  to  j,  satisfying  the  following  properties: 

1.  Every  party  communicates  with  at  most  G(log1+en)  other  parties  in  the  protocol. 

2.  The  protocol  terminates  after  0( log6  n )  rounds  for  some  e'  >  0. 

Proof.  From  Lemma  [5]  we  have  that  any  message  sent  by  any  honest  i  will  reach  every  honest 
j  within  G(loge  n)  rounds.  Hence,  from  this  and  the  unforgeability  of  the  underlying  signature 
scheme,  it  follows  by  a  standard  hybrid  argument  that  every  honest  j  will  always  accept  the 
message  sent  by  any  honest  i  at  the  end  of  RMTall(m).  Furthermore,  note  that  the  protocol’s 
round  complexity  is  equal  to  the  maximum  round  complexity  of  its  components,  which  equals 
0( log6  n).  Further,  note  that  the  communication  locality  of  every  party  in  RMTall(m)  is  equal  to 
the  communication  locality  of  the  party  in  RMTjj(mjj),  for  any  i,j  E  [n].  Hence,  the  corollary 
follows.  D 

3.2  Adaptively  secure  RMT 

As  discussed  in  the  Section [l.l| the  above  proof  technique  fails  against  adaptive  adversaries.  Infor¬ 
mally,  the  issue  is  that  an  adversary  can  use  the  round  in  which  a  corrupted  party/relayer  receives 
a  message  to  deduce  information  on  the  communication  graph  (see  Section  0  for  more  details 
and  a  concrete  example).  In  this  section  we  describe  an  RMT  protocol  that  is  secure  against  such 
an  adaptive  adversary.  The  idea  is  have  the  parties  use  a  different,  independent  communication 
graph  for  each  round  in  the  transmission  scheme.  As  long  as  the  transmission  scheme  does  not  have 
more  than  polylog(n)  rounds  and  in  each  round,  every  party  communicates  with  at  most  polylog(n) 
(additional)  parties,  the  overall  locality  with  be  polylog(n). 

The  main  challenge  in  the  above  idea  is  to  prove  that  in  this  dynamically  updated  communi¬ 
cation  graph,  the  message  will  reach  each  recipient  through  an  honest  path  in  at  most  polylog(n) 
rounds.  Proving  this  constitute  the  main  technical  contribution  of  our  work.  The  (adaptively  se¬ 
cure)  RMT  protocol  Ad  RMT  is  similar  to  the  protocol  in  the  static  case,  except  that  in  round  p 
parties  forward  messages  received  in  the  previous  round  to  their  neighbours  in  the  communication 
graph  Gp.  We  first  describe  the  corresponding  setup  that  it  requires. 

Setup  phase.  As  in  the  static  case,  the  parties  share  both  a  PKI  and  an  SKI.  The  SKI  will  be 
used  here  in  the  same  spirit,  except  that  instead  of  generating  one  Erdos- Renyi  graph,  G  =  G(n,p) 
with  p  =  lo^  - ,  it  will  be  used  to  generate  D  such  graphs,  denoted  Q  =  (Gi, . . . ,  Gd)-  These  graphs 
can  be  sampled  using  the  same  PRF  key  sk,;  j  that  parties  i  and  j  share.  As  before,  every  node  only 
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knows  its  own  neighbors,  and  when  the  adversary  corrupts  a  node  j.  he  only  learns  j' s  neighbors 
in  G\, ,  Gp. 

The  protocol  is  described  below,  followed  by  security  statement  and  a  high-level  description  of 
its  proof.  (The  formal  proof  can  be  found  in  Appendix  |Bj) 


Protocol  AdRMT,  j(to) 

1.  Round  1:  Party  i  sends  (to,  sigsk.(m))  to  all  its  neighbors  in  graph  G \. 

2.  For  each  round  p  =  2, . . . ,  log6  ( n ): 

—  For  every  party  k  £  [n]  \  If  a  message  (to,ct),  where  er  is  party  V s  valid  signature  on  to 

was  received  for  the  first  time  from  some  of  its  neighbours  in  Gp_i  in  the  previous  round,  then 
party  k  sends  (to,  <t)  to  all  its  neighbors  in  graph  Gp  and  halts.  (If  multiple  validly  signed 
pairs  were  received  in  that  round  for  the  first  time,  then  take  the  first  one  in  a  lexicographic 
order.) 

—  For  receiver  j:  If  a  message  (to,  a),  where  a  is  party  i’s  valid  signature  on  to  is  received  for 
the  first  time  from  some  of  party  j’ s  neighbours  in  Gp,  then  output  to  and  halt.  (If  more  than 
one  validly  signed  pair  is  received  in  that  round  for  the  first  time,  then  take  the  first  one  in  a 
lexicographic  order.) 


Theorem  9.  Let  T  C  [n]  he  the  set  of  adaptively  corrupted  parties,  |T|  =  t  <  qn,  for  any  constant 
0  <  q  <  1.  Assuming  a  PKI  and  an  SKI,  protocol  AdRMTjj(m)  is  a  secure  RMT  protocol  between 
any  two  honest  nodes  i,j  6  [n]  \  T,  satisfying  the  following  tow  properties  with  overwhelming 
probability: 

1.  Every  party  communicates  with  at  most  0(log1+e  n)  other  parties. 

2.  The  protocol  terminates  after  0( log6  n)  rounds,  for  some  e'  >  0. 


Proof  idea.  As  in  the  static  case,  we  show  that  there  exists  a  path  of  length  at  most  0(loge  (n)) 
between  any  two  honest  nodes  i,j  £  [n]  when  we  consider  the  collection  of  communication  graphs 
Q  that  selects  graph  Gi  as  the  communication  graph  in  hop  i.  We  prove  this  in  three  steps: 

First,  we  prove  that  at  every  step  of  the  protocol,  even  if  an  adversary  corrupts  a  constant 
fraction  of  the  nodes  in  the  random  graph,  the  honest  neighbors  of  any  set  S  of  size  <  ^  that  are 
not  in  S,  will  be  at  least  of  size  kd\S\,  for  some  appropriate  constant  k  (except  with  negligible 
probability) .  More  concretely,  in  Appendix  [B]  we  prove  the  following  lemma,  where  we  let  e  > 
0,0  <  q  <  1  be  constants,  d  =  log1+en,  p  =  ^  =  logJ~  n,  and  D  =  O(logn). 


Lemma  10.  Let  G  =  G(n,p)  be  graph  on  V  =  [n],  and  U  C  V,  \U\  <  qn,  chosen  adaptively  while 
only  learning  edges  connecting  to  U.  Let  G'  be  the  induced  subgraph  on  V'  =  V  \  U .  Then,  for  any 
constant  0  <  k  <  ,  there  exists  a  constant  c  >  0  such  that,  for  sufficiently  large  n  and  for  any 

S  C  V'  with  |<S|  =  r  <  (|  =  the  set  of  all  neighbors  of  S  that  are  not  in  S,  T(S'),  has  size  at  least 
kd\S\  except  with  negligible  probability  Pr  =  (  c  n ) ?  - 


Next,  via  an  application  of  Hoeffding’s  inequality  (see  Lemma  16  in  AppendixjBj)  we  prove  that 
as  long  as  the  adversarial  parties  are  chosen  independently  of  the  random  neighbors  chosen  by  any 
party,  a  constant  fraction  of  the  party’s  neighbors  will  be  honest,  except  with  negligible  probability 
(as  long  as  the  adversarial  set  is  of  size  at  most  qn  for  some  constant  0  <  q  <  1).  Thus  we  get  the 
following. 
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Lemma  11.  Let  V  =  [n]  and  C  C  V,  \C\  =  m,  be  a  subset  chosen  uniformly  at  random.  Let 
0  <  q  <  1  be  a  constant  and  U  C  V,  \U\  =  qn,  be  a  subset  chosen  independently  of  C.  Then, 
for  all  0  <  5  <  1  —  q,  \C  \  U\  >  (1  —  q  —  5)m  except  with  probability  e~2"l8\  In  particular,  for 
m  =  log1+e  n,  \C  \  U\  >  m  except  with  negligible  probability.  Furthermore,  for  q  =  ^  —  e, 

\C  \  U\  >  \m  except  with  negligible  probability. 


Finally,  using  Lemmas  10  and  m  we  show  that  even  when  an  adversary  adaptively  corrupts 
parties  in  every  round  of  the  protocol,  as  long  as  the  parties  select  a  random  graph  at  each  round 
of  the  protocol,  there  exists  a  path  of  length  at  most  D  =  O(logn)  between  any  two  honest  nodes 
in  [n].  Formally: 


Lemma  12.  Let  G±, . . . ,  Go  be  graphs  on  V  =  [n]  constructed  independently  as  G{n,p).  Let 
U\,  U-z,  ■  •  • ,  Uo  C  V  be  disjoint  subsets  with  U  =  U f=jUj  such  that  \U\  =  qn  where  Uj  is  chosen 
independently  from  G]+\, . . . ,  Go,  but  adaptively,  after  learning  the  neighbors  of  Ui  in  Gi  for  i  <  j . 
Let  G\  be  the  induced  subgraph  on  V)  =  V  \  (U*=1C/?).  Then,  except  with  negligible  probability,  any 
pair  of  vertices  v,v'  G  V’  =  V  \  U  are  reachable  with  respect  to  Q’  =  [G\ , . . . ,  G'D)  by  a  path  of 
length  at  most  D. 

Combining  these  gives  us  our  main  theorem  (Theorem  [9]) .  □ 

Parallel  composition  of  adaptively  secure  RMT.  Once  again,  we  will  require  all  nodes  i,j  £ 
[n]  to  execute  their  respective  RMT  protocols  in  parallel  simultaneously.  Let  AdRMTall(m)  denote 
the  protocol  executed  by  all  parties  when  AdRMTjj(?Bjj)  for  all  i,j  £  [n]  are  executed  in  parallel. 
That  is,  in  round  k  of  AdRMTall(m),  all  parties  execute  the  kth  round  of  protocol  AdRMTjj(mij) 
(for  all  i,j  £  [n]).  Note  that  the  graph  Gk  used  in  the  kth  round  of  the  protocol  depends  only 
on  the  round  k  and  not  on  i  and  j;  hence,  we  use  the  same  graph  Gk  to  send  all  the  messages  of 
protocol  AdRMTall(m).  We  have  the  following  corollary: 


Corollary  13.  For  all  honest  i,j  £  [n],  AdRMTall(m)  is  a  reliable  message  transmission  protocol 
for  sending  rriij  from  i  to  j,  satisfying  the  following  properties: 

1.  Every  party  communicates  with  at  most  0(log1+e  n)  other  parties  in  the  protocol. 

2.  The  protocol  terminates  after  0( loge  n)  rounds,  for  some  e'  >  0. 

The  proof  of  this  corollary  is  similar  to  Corollary  [8}s. 


4  Secure  Multiparty  Computation  with  Low  Communication 


We  are  now  ready  to  describe  our  MPC  protocol  for  securely  evaluating  any  given  (even  reactive)  n- 
party  function  in  the  comunication- locality  model.  Our  protocol  is  secure  against  t  <  n/2  adaptive 
corruptions.  The  idea  behind  our  MPC  protocol  is  to  use  a  constant-round  adaptively  secure  MPC 
protocol  for  t  <  n/2  working  over  point-to-point  secure  channels  and  broadcast  (e.g.,  |1J ) ,  where 


those  resources  are  emulated  via  our  RMT  protocol  of  Section  3.2 


We  let  nBC  denote  the  authenticated  broadcast  protocol  guaranteed  by  Theorem  [4]  (Section  [2]). 
The  protocol  achieves  broadcast  with  overwhelming  probability  against  t  <  n/2  adaptive  corrup¬ 
tions,  running  for  log1+cn  rounds  on  a  complete  network,  for  some  constant  c  >  0.  As  pointed 


out  in  [29],  assuming  unique  process  and  message  ID’s  as  in  [35] ,  IIBC  remains  secure  under  parallel 
composition. 

Let  IIBC  denote  the  protocol  which  results  by  having  the  parties  execute  IIBC  where  in  each 
round  instead  of  using  the  point-to-point  channels  for  exchanging  their  messages,  the  parties  in¬ 
voke  AdRMTan  from  Section  3.2  Then  it  follows  immediately  from  the  security  of  AdRMTall 
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(Corollary |13|)  and  the  fact  that  each  message  transmission  requires  polylog(n)  rounds  that  protocol 
nBC  is  also  a  secure  broadcast  protocol  with  polylogarithmic  round  complexity  and  communication 
locality. 

Lemma  14.  Protocol  nBC  described  above  achieves  broadcast  against  t  <  n/2  adaptive  corruptions 
and  satisfies  the  following  conditions  with  overwhelming  probability: 

1.  Every  party  communicaties  with  at  most  0(log1+en)  parties  for  any  constant  e  >  0. 

2.  The  protocol  terminates  after  0(loge  n)  rounds  for  some  constant  e'  >  0. 

Proof  (sketch).  The  security  of  nBC  follows  directly  from  the  security  of  protocols  IIBC  and 
AdRMTall.  The  (asymptotic)  round  complexity  is  computed  as  follows:  for  each  round  I  of  IIBC, 
protocol  I1BC  executes  AdRMTall  to  have  the  parties  exchange  their  round  t  messages;  thus,  for 
each  round  in  I1BC  we  need  0(loge  n)  rounds  in  IIBC.  Because  IIBC  runs  in  0( log6  n )  rounds,  the 
total  round  complexity  of  I1BC  is  0{ loge  n)  rounds.  We  next  argue  the  communication  locality: 
With  overwhelming  probability,  in  each  round  of  IIBC,  every  party  might  communicate  with  at 
most  to  C?(log1+en)  (potentially  different)  parties  (for  executing  AdRMTall).  Thus,  since  the  total 
number  of  rounds  is  0( log6  +e  n),  then  with  overwhelming  probability  (by  the  union  bound)  the 
total  number  of  parties  that  each  i  E  [re]  exchanges  messages  with  using  the  point-to-point  channels 
is  0(\o^+e+e'+e”  re).  □ 

The  next  step  is  to  construct  a  secure  message  transmission  protocol  (SMT)  which  will  allow  a 
sender  i  to  securely  (i.e.,  authentically  and  privately)  send  a  message  rriij  to  a  receiver  j .  Since  we 
have  a  PKI  and  an  adaptively  secure  broadcast  protocol,  we  can  use  the  standard  reduction  of  secure 
channels  to  broadcast:  The  sender  i  encrypts  reqj  under  the  receiver’s  public  key  and  broadcasts 
the  corresponding  ciphertext  Cij.  Upon  receiving  Cjj,  party  j  decrypts  it  using  his  secret  key  and 
recovers  req.j.  However,  in  order  for  the  above  reduction  to  be  secure  (in  a  simulation-based  manner) 
against  an  adaptive  adversary,  we  need  to  ensure  that  a  simulator  can  “open”  a  ciphertext  to  any 
message  of  its  choice.  This  can  be  achieved  by  the  use  of  a  non- committing  encryption  scheme  for 
computing  the  ciphertext  m-  As  proved  in  [18]  constant-round  non-committing  encryption  can 
be  constructed  assuming  the  existence  of  families  of  trapdoor  permutations  with  a  reversed  domain 
sampler.  Consistently  with  the  notation  introduced  in  the  previous  section,  we  use  AdSMTjj  to 
denote  the  above  SMT  protocol,  and  AdSMTali  to  denote  the  protocol  composed  of  re2  individual 
AdSMTi;  ^(rei^j)  protocols  (for  all  'i,j  [re]),  run  in  paiallel,  where  in  —  (re7uq,7req2i  •  •  •  ^rer^^). 

With  the  above  tools,  we  have: 

Theorem  [l|  Assuming  a  PKI,  an  SKI,  and  trapdoor  permutations  with  a  reversed  domain  sam¬ 
pler,  there  exists  a  protocol  for  securely  evaluating  any  given  n-party  function  against  an  adaptive 
adversary  who  corrupts  t  <  n/2  parties,  satisfying  the  following  two  conditions  with  overwhelming 
probability: 

1.  Every  party  communicates  with  at  most  0(log1+e  re)  other  parties,  for  some  constant  e  >  0. 

2.  The  protocol  terminates  after  0( loge  re)  rounds,  for  some  constant  e’  >  0. 

Proof  (sketch).  Let  nMPC  denote  a  constant-round  MPC  protocol  which  is  secure  against  adaptive 
corruptions  of  up  to  f  <  re/2  parties,  where  parties  communicate  over  a  complete  network  of  point- 
to-point  channels  and  broadcast.  (Such  protocols  are  known  to  exist  under  the  assumption  in  the 
theorem,  e.g.,  [1].)  Furthermore,  let  denote  the  protocol  that  results  by  instantiating  in  nMPC 
the  calls  to  the  secure  channels  and  broadcast  by  invocations  of  protocols  nBC  and  AdSMT,  respec¬ 
tively.  We  argue  that  nj5PC  satisfies  all  the  properties  claimed  in  the  theorem.  The  security  of  nj5PC 
follows  immediately  from  the  security  of  the  underlying  protocol  nMPC  and  the  security  of  protocols 
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ITgC  and  AdSMTan.  For  the  round  complexity:  For  each  round  in  IIMPC,  all  message  exchanges  (i.e. , 
point-to-point  transmissions  or  broadcast  calls)  are  exchanged  in  nj5PC  by  appropriate  (parallel) 
executions  of  protocols  IIgC  and  AdSMTall,  where  the  executions  have  unique  round,  protocol,  and 
message  IDsJ^J  Thus,  for  every  round  in  IIMPC  we  need  0( log6  n)  rounds  in  IIJJPC,  for  some  given 
constant  e'  >  0.  Because  IIMPC  terminates  in  a  constant  number  of  rounds,  the  round  complexity 
of  n*pc  is  also  0(loge  n).  In  each  of  these  rounds,  every  party  might  communicate  with  at  most 
0( log1+<E  n)  (potentially  different)  parties,  (Recall  that  all  parallel  executions  of  IIgC  and  AdSMTan 
use  the  same  sequence  of  graph  setups.)  Thus,  the  total  number  of  parties  that  each  i  G  [n]  talks 
directly  to  (i.e.,  via  its  point-to-point  channels)  is  0( log1+e+e  n).  □ 


5  Getting  Rid  of  the  SKI 


In  this  section  we  show  how  to  get  rid  of  the  symmetric-key  setup  assumption,  at  the  cost,  however, 
of  increasing  the  communication-locality  (but  not  the  round  complexity)  by  a  factor  of  y/n. 

The  idea  for  getting  rid  of  the  SKI  is  to  have  the  parties  compute  some  kind  of  an  alternative 
random  graph  setup.  This  is  done  as  follows:  each  party  i  6  [n]  locally  decides  which  of  his  n 
point-to-point  channels  he  will  use;  a  channel  between  two  (honest)  parties  i ,  j  G  [n]  is  then  used 
only  if  both  parties  choose  it.  (This  is  similar  in  spirit  to  the  way  the  work  of  Chandran  et  al.  [13] 
handles  “edge  corruptions”  in  sparse  networks.)  By  having  each  party  decide  to  use  each  of  his 
channels  with  probability  p  =  lc^u  for  some  given  constant  e  >  1  (and  ignore  all  other  channels) 

we  ensure  that,  with  overwhelming  probability,  each  (honest)  party  uses  at  most  ©(y/nlog*5  n)  of 
its  point-to-point  channels  for  some  constant  5  >  0.  Furthermore,  each  edge  between  two  honest 
parties  i  and  j  is  chosen  with  probability  p'  =  p2  =  logra  n ,  thus  the  resulting  communication  graph 
will  include  Erdos- Renyi  graph  G(n,p')  which  will  allow  us  to  use  our  ideas  from  the  previous 
sections.  Note  however,  that  as  the  adversarial  nodes  might  choose  to  communicate  with  all  their 
neighbors,  the  communication  locality  is  no  longer  guaranteed  to  be  0(\ogen)]  notwithstanding,  it 
is  guaranteed  to  be  0(y/nlogs  n)  with  overwhelming  probability. 


RMT  protocol.  We  now  describe  a  reliable  message  transmission  protocol  which  tolerates  up  to 
t  <  qn  adaptive  corruptions,  for  any  given  constant  q  <  1.  Our  protocol  (and  proof)  are  similar  to 
the  corresponding  protocol  from  Section  3.2,  with  the  only  difference  being  that  the  parties  choose 
their  neighbors  in  a  setup  procedure  as  above  instead  of  sampling  them  by  use  of  a  PRF  keyed 
with  their  SKI-keys. 


13Recall  that  the  ID’s  are  needed  to  ensure  security  of  IIJC  under  parallel  composition  [35] . 
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Protocol  AdRMT“SKI(TO) 

1.  Round  1  (Computing  the  setup):  The  parties  execute  the  following  code  for  every  (i,j,p)  £ 

[n]  x  [n]  x  [log6  n]  in  parallel  (where  e'  >  1  is  a  given  constant): 

—  Party  i  samples  a  bit  bG  where  bG  =  1  with  probability  p  =  lo^ra  for  some  given  constant 
e  >  1;  and  6?  •  =  0  otherwise. 

—  If  br-  :/  =  0  for  all  p  £  [log6  n],  then  party  i  ignores  all  messages  on  the  point-to-point  channel 
between  i  and  j. 

—  If  bG  =  1  then  party  i  sends  (p?  -,p)  to  party  j. 

2.  Round  ij“|  For  each  ( i,j,p )  £  [n]  x  [n]  x  [log6  n\  :  If  bG  =  1  but  party  i  received  no  message 

(b,  p)  from  party  j  in  the  previous  round  then  i  sets  bG  :  =  0.  For  p  =  1, . . . ,  log6  n  :  Party  i  sets 

r(i)p  :=  {j  |  •  =  1}  to  be  the  set  of  parties/neighbors  pi  will  communicate  with  in  round  p. 

3.  Round  3:  Party  i  sends  (to,  sigsk.(m))  to  parties  in  T(*)p. 

4.  For  each  round  p  =  3, . . . ,  log6  n : 

—  For  every  party  k  £  [n]  \  {*,  j}:  If  a  message  (to,  a),  where  a  is  party  i’s  valid  signature  on  to. 
was  received  for  the  first  time  in  the  previous  round  p  —  1  from  some  party  in  r(/c)p_1,  then 
party  k  sends  (m,  a)  to  all  parties  in  T(k)p  and  halts.  (If  multiple  validly  signed  pairs  were 
received  in  that  round  for  the  first  time,  then  take  the  first  one  in  a  lexicographic  order.) 

—  For  the  receiver  j:  If  a  message  (to,  a),  where  a  is  party  i’s  valid  signature  on  to  is  received 
for  the  first  time  from  some  party  in  r(j)p,  then  output  m  and  halt.  (If  more  than  one  validly 
signed  pair  is  received  in  that  round  for  the  first  time,  then  take  the  first  one  in  a  lexicographic 
order.) 

“This  round  is  redundant  and  could  be  executed  at  the  beginning  of  the  following  round.  Nonetheless,  we 
include  it  here  because  it  simplifies  the  description  and  it  does  not  affect  the  (asymptotic)  round  complexity 
argument. 


Theorem  15.  Let  T  C  [n]  be  the  set  of  adaptively  corrupted  parties,  \T\  =  t  <  qn,  for  any  constant 
0  <  q  <  1.  Assuming  a  PKI,  protocol  AdRMT“°SKI(m)  is  a  secure  RMT  protocol  between  any  two 
honest  nodes  i,j  £  [n]  \  T,  satisfying  the  following  tow  properties  with  overwhelming  probability: 

1.  Every  party  communicates  with  at  most  0(y/n  log1+<5  n)  other  parties,  for  some  constant  6  >  0. 

2.  The  protocol  terminates  after  C>( log6  n)  rounds,  for  some  constant  e"  >  0. 

Proof  (sketch).  The  proof  that  the  round  complexity  is  0(log6  n)  follows  along  the  lines  of  The¬ 
orem  [9j  because  for  each  pair  of  honest  i,j  £  [n]  and  each  p  =  l,...,log6  n  the  set  r(i)p_1  is 
distributed  as  in  an  Erdos-Renyi  graph,  G  =  G(n,p')  with]/  =  lugf)  The  communication  locality 
is  argued  as  follows:  It  follows  from  a  Chernoff  bound  that  in  each  round  p  £  {1, . . . ,  log6  n}  each 
party  talks  to  at  most  L  =  0(y/nlog1+c  n)  neighbors,  for  some  constant  c  >  0,  except  with  negligi¬ 
ble  probability.  Thus  with  overwhelming  probability  the  total  number  of  neighbors  that  i  chooses 
in  all  log6  n  +  2  rounds  is  0(y/n log1+c+e  n).  Because  honest  parties  ignore  all  parties  that  they 
do  not  choose  as  neighbors  the  total  number  of  parties  that  party  i  communicates  with  is  at  most 
0(v/nlog1+c+6,  n).  □ 

Given  Theorem  |15[  an  MPC  protocol  with  the  desired  communication-locality  and  round  com¬ 
plexity  can  be  obtained  by  replacing  in  protocol  n^pc  all  invokations  of  AdRMTjj  with  invocations 
of  AdRMT“°SKI.  The  proof  is  similar  to  the  proof  of  Theorem  [lj 

Theorem  [2j  Assuming  a  PKI  and  the  existence  of  trapdoor  permutations  with  a  reversed  domain 
sampler,  there  exists  a  protocol  for  securely  evaluating  any  given  n-party  function  against  an  adap- 
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tive  adversary  who  corrupts  t  <  n/2  parties.  The  protocol  satisfies  the  following  properties  with 

overwhelming  probability: 

1.  Every  party  communicates  with  at  most  0{yfn  log1+e  n)  other  parties,  for  some  constant  e  >  0. 

2.  The  protocol  terminates  after  0( loge  n)  rounds,  for  some  constant  e'  >  0. 
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A  Almost-Everywhere  Protocols 

Prior  to  |6],  two  lines  of  works  have  studied  the  problem  of  constructing  protocols  for  BA/MPC  in 
which  every  party  communicates  with  only  a  few  other  parties  in  the  protocol: 

Protocols  on  incomplete  networks.  The  vast  majority  of  results  for  BA  and  MPC  protocols 
work  in  a  model  in  which,  every  party  involved  in  the  protocol,  shares  a  reliable  and  secure  channel 
with  every  other  party.  In  large  scale  networks,  such  as  the  internet,  such  an  assumption  is  infeasible 
and  this  leads  us  to  the  question  of  whether  one  can  construct  BA  and  MPC  protocols  in  which  every 
party  communicates  only  with  a  few  other  parties.  For  the  case  of  BA,  the  first  work  to  consider 
this  problem  was  that  of  Dwork,  Peleg,  Pippenger,  and  Upfal  [22] .  who  constructed  various  graphs 
of  specific  degrees  on  which  one  could  run  BA  protocols.  For  example,  they  construct  a  graph  G 
of  degree  d  =  0(ne),  for  any  constant  0  <  e  <  1,  along  with  a  BA  protocol  in  which  every  party 
in  the  protocol  communicates  only  with  its  neighbors  in  G.  Such  a  protocol  could  tolerate  t  =  an 
corrupt  parties  (for  some  constant  a  <  |).  As  another  example,  they  also  construct  a  graph  of 
constant  degree,  along  with  a  BA  protocol,  that  could  tolerate  t  =  C>(^|^)  corrupt  parties. 

Now,  since  in  their  model,  the  communication  graph  is  fixed  and  chosen  prior  to  the  adversary 
corrupting  parties,  one  cannot  hope  to  achieve  BA  among  all  honest  parties  (as  an  adversary  could 
always  corrupt  just  the  neighbors  of  some  honest  party,  thereby  isolating  it).  Hence  Dwork  et  al. 
introduce  and  achieve  the  notion  of  almost-everywhere  (a.e.)  BA  that  unavoidably  “gives  up”  x 
honest  nodes  (and  provides  no  guarantees  for  these  honest  nodes).  In  their  protocols,  x  =  0(t). 
Somewhat  surprisingly,  Upfal  |30],  constructed  graphs  of  constant  degree,  along  with  a  BA  protocol, 
that  could  tolerate  t  =  an  corrupt  parties  (for  some  constant  a  <  |);  unfortunately,  the  running 
time  of  Upfal’s  algorithm  is  exponential  (in  n).  To  date,  the  best  bounds  known  in  this  model  are 
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due  to  Chandran,  Garay,  and  Ostrovsky  [12],  who  achieve  a  polynomial  time  BA  protocol  with 
parameters  d  =  0(logcn )  (for  some  constant  c  >  1),  t  =  an  and  x  = 

For  the  case  of  secure  computation,  Garay  and  Ostrovsky  |23] ,  introduced  the  notion  of  almost- 
everywhere  MPC  (similar  in  spirit  to  a.e.  BA)  and  showed  how  to  take  any  a.e.  BA  protocol  and 
convert  it  into  an  a.e.  MPC  with  the  same  (asymptotic)  parameters.  We  remark  that  all  the  above 
protocols  provide  information-theoretic  security  against  an  adaptive,  computationally-unbounded, 
adversary  that  can  corrupt  parties  at  any  time  during  (or  after)  the  protocol. 

Protocols  on  complete  networks.  One  could  also  consider  a  model  in  which  parties  are  con¬ 
nected  by  a  complete  network,  but  only  talk  to  a  few  other  parties  during  the  protocol.  Once  again 
this  gives  rise  to  protocols  with  low  communication  locality.  Indeed,  the  works  of  King,  Saia,  San- 
walani,  and  Vee  [32, 133]  consider  this  model  and  construct  protocols  for  the  task  of  leader  election 
as  well  as  a.e.  Byzantine  agreement  in  which  every  party  has  a  communication  locality  of  0(logcn ) 
(for  some  constant  c  >  1).  In  fact,  King  et  al.  show  a  stronger  result  and  construct  protocols  in 
which  every  party  only  sends  0(logcn)  bits  in  the  entire  protocol.  However,  unlike  the  works  on  in¬ 
complete  networks,  the  works  of  King  et  al.  [[32,  .33]  only  consider  the  case  of  static  adversaries  (i.e. , 
they  are  secure  only  against  an  adversary  that  corrupts  t  =  an  of  the  parties,  for  some  constant 
a  <  before  the  start  of  the  protocol).  These  works  also  provide  information-theoretic  security. 


B  Proof  of  Theorem  [9]  (Adaptively  secure  RMT) 


Hoeffding’s  Lemma 


Lemma  16.  (Hoeffding’s  Inequality  [27])  Let  S  =  {sq, . . . ,  xjv}  be  a  finite  set  of  real  numbers  with 

a  =  min  aq  and  b  =  max  Xi .  Let  X\ , . . . ,  Xn  be  a  random  sample  drawn  from  S  without  replacement, 
i  i 


n  N 

Xi  2 nS^1 

Let  X  =  *=L —  and  fi  =  ',='N  =  E[X,-].  Then  for  all  5  >  0,  Pr[A  —  g  >  5]  <  e  0-“)2 . 


Theorem  [9|  Let  T  C  [n]  be  the  set  of  adaptively  corrupted  parties,  |T|  =  t  <  qn,  for  any  constant 
0  <  q  <  1.  Assuming  a  PKI  and  an  SKI,  protocol  AdRMTjj(m)  is  a  secure  RMT  protocol  between 
any  two  honest  nodes  i,j  G  [n]  \  T,  satisfying  the  following  tow  properties  with  overwhelming 
probability: 

1.  Every  party  communicates  with  at  most  0(log1+e  n)  other  parties. 

2.  The  protocol  terminates  after  0(loge  n )  rounds,  for  some  e1  >  0. 


Proof.  In  the  following,  we  provide  details  on  the  proof  sketched  in  Section  3.2 
we  show  that  there  exists  a  path  of  length  at  most  0( log' 
i,j  e  [n 


In  particular 


n))  between  any  two  honest  nodes 
when  we  consider  the  collection  of  communication  graphs  Q  that  selects  graph  Gi  as  the 
communication  graph  in  hop  i.  The  proof  follows  then  easily  similarly  to  the  proof  of  Theorem  [TJ 
As  sketched  in  Section  |T2|  to  prove  the  above  statement  we  proceed  in  three  steps: 


1. 


First,  we  shall  prove  in  Lemma  10  that  at  every  step  of  the  protocol,  even  if  an  adversary 
corrupts  a  constant  fraction  of  the  nodes  in  the  random  graph,  the  honest  neighbors  of  any  set 
S  of  size  <  ^  that  are  not  in  S,  will  be  at  least  of  size  kd\S\,  for  some  appropriate  constant  k 
(except  with  negligible  probability). 
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2.  Next,  via  an  application  of  Hoeffding’s  inequality,  we  will  prove  in  Lemma  11  that  as  long  as 
the  adversarial  parties  are  chosen  independently  of  the  random  neighbors  chosen  by  any  party, 
a  constant  fraction  of  the  party’s  neighbors  will  be  honest,  except  with  negligible  probability 
(as  long  as  the  adversarial  set  is  of  size  at  most  qn  for  some  constant  0  <  q  <  1). 

3.  Finally,  using  Lemmas  10  and  m  we  will  show  in  Lemma  [12]  that  even  when  an  adversary 
adaptively  corrupts  parties  in  every  round  of  the  protocol,  as  long  as  the  parties  select  a  random 
graph  at  each  round  of  the  protocol,  there  exists  a  path  of  length  at  most  D  =  0( log  n)  between 
any  two  honest  nodes  in  [n\. 

Combining  these  will  give  us  our  main  theorem  (Theorem  [9]) . 

Step  1.  To  begin,  let  e  >  0, 0  <  q  <  1  be  constants.  Let  d  =  log1+<En,  p  =  ^  =  log^  n  and 

D  =  O(logn). 


Lemma  |10[  Let  G  =  G(n,p)  be  graph  on  V  =  [n],  and  U  C  V,  \U\  <  qn,  chosen  adaptively  while 
only  learning  edges  connecting  to  U .  Let  G'  be  the  induced  subgraph  on  V'  =  V  \JJ .  Then,  for  any 
constant  0  <  k  <  -T%  there  exists  a  constant  c  >  0  such  that,  for  sufficiently  large  n  and  for  any 
S  C  V'  with  \S\  =  r  <  ^  =  ^,  the  set  of  all  neighbors  of  S  that  are  not  in  S,  T(S),  has  size  at  least 
kd\S\  except  with  negligible  probability  Pr  =  ( —  Jge  n ) '  ■ 

Proof.  Let  0  <  k  <  and  5  C  V’  with  l-SI  =  r  <  §  =  Denote  n'  =  IV'I  >  (1  —  q)n.  Since 
each  pair  of  vertices  in  G'  is  connected  with  probability  p  independently  of  U  and  other  edges,  G' 
is  a  random  graph  G(n',p). 

For  each  v  E  V'  \  S,  let  Xv  be  the  indicator  of  whether  v  E  T(S)  =  Tg'(S).  Then 


Pt[Xv  =  0]  =  Pr[no  edge  between  v  and  any  vertex  in  S\  =  (1  —  p)r . 


Since  rp  <  1, 

nxv]  =  Pt[Xv  =  1]  =  1  -  (1  -  p)r  =  rp  -  Qp2  +  . . .  > 

Then 

E[|r(5)|]=EEx,]>LTh5!. 

v^s 

Since  the  X,,’s  are  independent,  by  the  Chernoff  Bound, 

(n!  —  r)rn  a2E[lr(s)|] 

Pr[|F(5)|  <  (1  -  2>P }  <  Pr[|r(5)|  <  (1  -  5)E[\T(S)\}]  <  e - ^  <  e" 

Now  let  5  =  1  —  igrzf-  Since  r  <  §,  we  have 

Let  n  be  large  enough  such  that  d  =  log1+e  n 


< 


> 


n!  —  r  n' 


n 

2 


l—q—2k  ' 


<  —  <  1. 
n 

Then 


=0  =  L  .  «1  -  9)  -  2 k  f  <  1 


((1  -  1) 
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Thus 


Pr[|r(5)|  <  kdr ]  <  e 


( (n'-r)rp 
\  n'  —r  J 


dr 


< 


1 

ec° 


dr 


1 


c  log6  n 


TV 


where  c  =  cq  log  e. 


n 


We  now  proceed  to  show  that  as  long  as  parties  pick  a  fresh  random  graph  in  every  round  of 
the  protocol,  there  exists  at  least  one  path  of  length  at  most  D  between  any  two  honest  parties 
i,j  E  [n]  that  does  not  include  any  corrupted  party.  We  formally  define  this  through  the  notion  of 
reachability  with  respect  to  Q. 

Definition  17.  Let  Q  =  (Gi, . . . ,  Go)  be  an  ordered  collection  of  graphs  on  subsets  (14, . . . ,  Vo) 
of  V.  A  pair  of  vertices  v  E  V±,  v'  E  Vi  are  reachable  with  respect  to  Q  by  a  path  of  length  l  if  there 
exist  v\, . . . ,  vi-i  E  V,  such  that  (vi-i,  vf)  E  E(Gi ),  for  *  =  1 where  vq  =  v  and  vi  =  v'.  We 
denote  Ni(v )  =  Np(v)  C  Vi  the  subset  of  all  vertices  that  are  reachable  from  v  with  respect  to  Q 
with  a  path  of  length  l. 


Step  2.  We  first  make  use  of  Hoeffding’s  lemma  (stated  in  Appendix [B])  in  order  to  prove  a  lemma 
that  we  will  use.  We  show: 

Lemma  |11|.  Let  V  =  [n]  and  C  C  V,  \C\  =  m,  be  a  subset  chosen  uniformly  at  random.  Let 
0  <  q  <  1  be  a  constant  and  U  C  V,  \U\  =  qn,  be  a  subset  chosen  independently  of  C.  Then, 
for  all  0  <  5  <  1  —  q,  \C  \  U\  >  (1  —  q  —  6)m  except  with  probability  e~2mS2 .  In  particular,  for 
m  =  log1+e  n,  \C  \  U\  >  rn  except  with  negligible  probability.  Furthermore,  for  q  =  \  —  e, 

|C\  17 1  >  \m  except  with  negligible  probability. 

Proof.  Let  S  =  {xi, . . . ,  xn}  where  Xi  =  1  if  *  E  U,  0  otherwise.  Then  a  =  min  .x*  =  0,  b  =  max  x,;  = 

i  i 

n 

E  xi 

1  and  fi  =  —  =  q.  For  each  i  =  1, . . . ,  m,  let  Xi  be  the  indicator  of  whether  each  element  of  C  is 

m 

in  U.  Then  Xj  is  a  random  sample  drawn  from  S  without  replacement,  and  \CnU\  =  Y2  Xi  =  mX. 

i= 1 

By  Hoeffding’s  Inequality, 

Pr[|C  n  U\  >  ( q  +  e)m \  =  Pv[X  -  p  >  <J]  <  e~2mP . 

Therefore,  except  with  probability  e~2m52 ,  \C  \  U\  =  m  —  \C  n  U\  >  (1  —  q  —  5)m. 

Now  let  m  =  log1+f  n  and  5  =  We  have  that  \C  \  U\  >  ( )  m  except  with  probability 


r2(V)2’ 


1 


clog6  n 


TV 


where  c  =  ^(1  —  q)2  log  e. 

Finally,  let  q  =  ^  —  e  and  5  =  e.  We  have  that  |C\  U\  >  (l  —  —  e)  —  e)  m  =  r/m  except  with 

probability  — ,  1  ,  ,  where  d  =  2e2loge.  □ 

Ylc  l°ge  r. 

Remark  2.  Note  that  this  proof  allows  U  to  be  chosen  according  to  any  distribution.  The  result 
holds  as  long  as  C  is  chosen  uniformly.  In  particular,  we  may  allow  U  to  be  chosen  adaptively. 
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Step  3.  We  now  show: 


Lemma  12,  Let  G\, . . .  ,Go  be  graphs  on  V  =  [n]  constructed  independently  as  G(n,p).  Let 


Ui,  U2,  ■  ■  ■ ,  Ud  Q  V  be  disjoint  subsets  with  U  =  U'hf/j  such  that  \U\  =  qn  where  Uj  is  chosen 
independently  from  Gj+\ , . . . ,  Go,  but  adaptively,  after  learning  the  neighbors  ofUi  in  Gi  for  i  <  j. 
Let  G\  be  the  induced  subgraph  on  Vi  =  V  \  (U*=1t/j).  Then,  except  with  negligible  probability,  any 
pair  of  vertices  v,  v'  £  V'  =  V  \  U  are  reachable  with  respect  to  Q'  =  (G\ , . . .  ,G'D)  by  a  path  of 
length  at  most  D. 

Proof.  For  each  v  £  V' ,  we  will  show  that,  except  with  negligible  probability,  there  exists  l  =  l(v)  < 
D  such  that  V'  C  N\(v)  U  Ni+\(v).  Hence,  by  the  union  bound  over  \V'\  =  (1  —  q)n  vertices,  the 
proposition  holds  except  with  negligible  probability. 

Fix  v  £  V  and  choose  a  constant  k  as  in  Lemma 


10 


For  each  i,  denote  r*  =  | Ni(v)  \  Ui+\\. 
Note  that  Tqi  ( Ni(v )  \  Ui+ 1)  C  7V,+i  (v)-  For  i  such  that  ri  <  we  have 


i+i 


\Ni+1(v)\  >  |rG/+i (JVi(v)  \  Ui+ 1)|  >  kd\Ni(v)  \  Ui+ 1| 


except  with  probability  Pri  by  Lemma  10 


Since  Ui+\  is  chosen  from  V.  independently  of  Ni(v),  and  Nl(yv)  is  uniform  on  Vt,  by  Lemma  11 
except  with  negligible  probability  (call  it  P-), 


\Ni{v)\Ui+1\  > 


1  ~q 


Inductively,  r*  =  |./Vj(v)\t/j+i|  >  kdj  and  eventually  greater  than  ^  except  with  probability 

l°  n 

fT  ( P rt  +  Pf),  where  Iq  is  the  largest  integer  such  that  ri0  <  %.  Since  Iq  <C  D  =  0 (log  to)  as  du  to, 

i—  1 

this  probability  is  negligible. 

Let  to'  =  \V'\  =  (1  —  q)n.  There  are  two  possibilities  for  r;0+ 1  =  |iV;0+1(?;)  \  Ui0+ 2\:  either  1) 
2  <  rio+i  <  f  °r  2)  rh+ 1  > 


Case  1:  Assume  that  ^  <  n0+ 1  <  Denote  r  =  n0+i  and  too  =  \Vr\  >  to'.  Then 

^  =  For  sufficiently  large  to,  we  have  (1  —  p)p  ~  e  .  Thus, 

E[|r(W0+i(^))|]  ~  (too  —  r)(l  —  e~rp).  As  in  the  proof  of  Lemma 
bound,  we  have 


10 


by  the  Chernoff 


Pi-[\nNl0+1(v)  \  Ul0+2) I  <  <  e-V  4(no_rH 


nQ - ^  (nn—  r)(l  —  e  rP) 

r)(l  — e~rP)  /  V  0  A 


/  /  (n0-‘r)(l-e  rP )  _  1  \  2  \ 


< 


n0 


?  O0-r)(l-e  rP) 

-fir 


1  1 

<  -  <  - 7 , 

—  g/no  —  fJn'  1 


where  d  =  e 
negligible  probability, 


>  1  as  1  —  e  1  <  1  —  e  rp  <  1  and  |  <  nanJ  <  1.  Thus,  except  with 


n0+2  =  \Nl0+2(v)  \  Ul0+3 1  >  (  A  \T(Nl0+1(v)  \  Ul0+2) I  >  too  >  ]  to' 
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by  Lemma  11  In  this  case,  let  l  =  Iq  +  2. 


Case  2:  ri0+ 1  >  \-  In  this  case,  let  l  =  Zq  +  1- 


In  both  cases,  we  have  |A^(v)\[//_)_i|  =  77  >  c^n!  for  some  constant  0  <  C2  <  1  except  with  negligible 
probability.  Then,  for  each  v  €  V'\  Ni(v),  the  probability  that  v  does  not  connect  to  any  vertex  in 
Ni(v)\Ui+i  is  (1—  pYl  ~  e~riP  <  ne3 iog£  „ ,  where  C3  =  02(1  —  q)  log  e.  By  the  union  bound,  the  prob¬ 
ability  that  any  node  in  V1  \  Ni(v )  is  not  in  T(Ni(v )  \  Ui+ 1)  C  Ni+i(v )  is  at  most  ^  l0g£  11_1 ,  which 
is  negligible.  Hence,  except  with  negligible  probability,  V  =  Ni(v )  U  T(Ar/(u))  C  Ni(v)  U  Ar;+1(u). 
Therefore,  any  v'  E  is  reachable  from  u  by  a  path  of  length  at  most  D.  □ 

This  completes  the  proof  of  Theorem  [9j  fit 
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Abstract 

In  this  paper,  we  introduce  two  new  cryptographic  primitives:  functional  digital  signatures  and  func¬ 
tional  pseudorandom  functions. 

In  a  functional  signature  scheme,  in  addition  to  a  master  signing  key  that  can  be  used  to  sign  any 
message,  there  are  signing  keys  for  a  function  /,  which  allow  one  to  sign  any  message  in  the  range  of  /. 
As  a  special  case,  this  implies  the  ability  to  generate  keys  for  predicates  P,  which  allow  one  to  sign  any 
message  m,  for  which  P(m)  =  X. 

We  show  applications  of  functional  signatures  to  constructing  succinct  non-interactive  arguments  and 
delegation  schemes.  We  give  several  general  constructions  for  this  primitive  based  on  different  computa¬ 
tional  hardness  assumptions,  and  describe  the  trade-offs  between  them  in  terms  of  the  assumptions  they 
require  and  the  size  of  the  signatures. 

In  a  functional  pseudorandom  function,  in  addition  to  a  master  secret  key  that  can  be  used  to  evaluate 
the  pseudorandom  function  F  on  any  point  in  the  domain,  there  are  additional  secret  keys  for  a  function 
f,  which  allow  one  to  evaluate  F  on  any  y  for  which  there  exists  an  x  such  that  f(x)  =  y.  As  a  special 
case,  this  implies  pseudorandom  functions  with  selective  access ,  where  one  can  delegate  the  ability  to 
evaluate  the  pseudorandom  function  on  inputs  y  for  which  a  predicate  P(y)  =  1  holds.  We  define  and 
provide  a  sample  construction  of  a  functional  pseudorandom  function  family  for  prefix-fixing  functions. 

This  work  appeared  in  part  as  the  Master  Thesis  of  Ioana  Ivan  filed  May  22  at  MIT.  We  note 
that  independently  the  notion  of  pseudorandom  functions  with  selective  access  was  studied  by  Boneh- 
Waters  under  the  name  of  constrained  pseudorandom  functions  [BW13]  and  by  Kiayias,  Papadopoulos, 
Triandopoulos  and  Zacharias  under  the  name  delegatable  pseudorandom  functions  [KPTZ13].  Subsequent 
to  our  posting  of  an  earlier  manuscript  of  this  work,  Bellare  and  Fuchsbauer  [BF13]  and  Backes,  Meiser, 
and  Schroder  [BMS13]  additionally  posted  similar  results  on  functional  signatures. 
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1  Introduction 


We  introduce  new  cryptographic  primitives  with  a  variety  of  accompanying  constructions:  functional  digital 
signatures  ( FDS '),  functional  pseudorandom  functions  ( F-PRF ),  and  psuedorandom  functions  with  selective 
access  (PRF-SA).1 

Functional  Signatures 

In  digital  signature  schemes,  as  defined  by  Diffie  and  Heilman  [DH76],  a  signature  on  a  message  provides 
information  which  enables  the  receiver  to  verify  that  the  message  has  been  created  by  a  proclaimed  sender. 
The  sender  has  a  secret  signing  key,  used  in  the  signing  process,  and  there  is  a  corresponding  verification  key, 
which  is  public  and  can  be  used  by  anyone  to  verify  that  a  signature  is  valid.  Following  Goldwasser,  Micali 
and  Rackoff  [GMR88],  the  standard  security  requirement  for  signature  schemes  is  unforgeability  against 
chosen-message  attack:  an  adversary  that  runs  in  probabilistic  polynomial  time  and  is  allowed  to  request 
signatures  for  a  polynomial  number  of  messages  of  his  choice,  cannot  produce  a  signature  of  any  new  message 
with  non-negligible  probability. 

In  this  work,  we  extend  the  classical  digital  signature  notion  to  what  we  call  functional  signatures.  In  a 
functional  signature  scheme,  in  addition  to  a  master  signing  key  that  can  be  used  to  sign  any  message,  there 
are  secondary  signing  keys  for  functions  f  (called  skf),  which  allow  one  to  sign  any  message  in  the  range  of 
/.  These  additional  keys  are  derived  from  the  master  signing  key.  The  notion  of  security  we  require  such 
a  signature  scheme  to  satisfy  is  that  any  probabilistic  polynomial  time  (PPT)  adversary,  who  can  request 
signing  keys  for  functions  fi ...  fi  of  his  choice,  and  signatures  for  messages  mi, . . .  mq  of  his  choice,  can 
only  produce  a  signature  of  a  message  m  with  non-negligible  probability,  if  m  is  equal  to  one  of  the  queried 
messages  mi, . . .  mq,  or  if  m  is  in  the  range  of  one  of  the  queried  functions  fi ...  fi- 

An  immediate  application  of  a  functional  signature  scheme  is  the  ability  to  delegate  the  signing  pro¬ 
cess  from  a  master  authority  to  another  party.  Suppose  someone  wants  to  allow  their  assistant  to  sign  on 
their  behalf  only  those  messages  with  a  certain  tag,  such  as  “signed  by  the  assistant”.  Let  P  be  a  predi¬ 
cate  that  outputs  1  on  messages  with  the  proper  tag,  and  0  on  all  other  messages.  In  order  to  delegate  the 
signing  of  this  restricted  set  of  messages,  one  would  give  the  assistant  a  signing  key  for  the  following  function: 

.  I  m  if  P(m )  =  1 
f(m)  :=  < 

I  J_  otherwise 

P  could  also  be  a  predicate  that  checks  if  the  message  does  not  contain  a  given  phrase,  or  if  it  is  related  to 
a  certain  subject,  or  if  it  satisfies  a  more  complex  policy. 

Another  application  of  functional  signatures  is  to  certify  that  only  allowable  computations  were  performed 
on  data.  For  example,  imagine  the  setting  of  a  digital  camera  that  produces  signed  photos  (i.e  the  original 
photos  produced  by  the  camera  can  be  certified).  In  this  case,  one  may  want  to  allow  photo-processing 
software  to  perform  minor  touch-ups  of  the  photos,  such  as  changing  the  color  scale  or  removing  red-eyes, 
but  not  allow  more  significant  changes  such  as  merging  two  photos  or  cropping  a  picture.  But,  how  can  an 
original  photo  which  is  slightly  touched-up  be  distinguished  from  one  which  is  the  result  of  a  major  change? 
Functional  signatures  can  naturally  address  this  problem  by  providing  the  photo  processing  software  with 
keys  which  enable  it  to  sign  only  the  allowable  modifications  of  an  original  photograph.  Generalizing,  we 
think  of  a  client  and  a  server  (e.g.  photo-processing  software),  where  the  client  provides  the  server  with  data 
(e.g.  signed  original  photos,  text  documents,  medical  data)  which  he  wants  to  be  processed  in  a  restricted 
fashion.  A  functional  signature  of  the  processed  data  provides  proof  of  allowable  processing. 

Functional  signatures  can  also  be  used  to  construct  a  delegation  scheme.  In  this  setting,  there  a  client 
who  wants  to  allow  a  more  powerful  server  to  compute  a  function  /  on  inputs  chosen  by  the  client,  and 

1  We  note  that  independently  (and  unknown  to  the  authors)  the  notion  of  pseudorandom  functions  with  selective  access 
was  studied  by  Boneh- Waters  under  the  name  of  constrained  pseudorandom  functions  [BW13]  and  by  Kiayias,  Papadopoulos, 
Triandopoulos  and  Zacharias  under  the  name  delegatable  pseudorandom  functions  [KPTZ13].  Subsequent  to  our  posting  of  an 
earlier  manuscript  of  this  work,  [BF13]  and  [BMS13]  have  additionally  posted  similar  results  on  functional  signatures. 
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wants  to  be  able  to  verify  that  the  result  returned  by  the  server  is  correct.  The  verification  process  should  be 
more  efficient  than  for  the  client  to  compute  /  himself.  The  client  can  give  the  server  a  key  for  the  function 
f'{x)  =  (/( x)\x).  To  prove  that  y  =  f(x)  the  prover  gives  the  client  a  signature  of  y \x,  which  he  could  only 
have  obtained  if  y\x  is  in  the  range  of  /',  that  is,  if  y  =  f(x). 

A  desirable  property  of  a  functional  signature  scheme  is  function  privacy :  the  signature  should  reveal 
neither  the  function  /  that  the  secret  key  used  in  the  signing  process  corresponds  to,  nor  the  message  m  that 
/  was  applied  to.  In  the  example  with  the  signed  photos,  one  might  not  wish  to  reveal  the  original  image 
just  that  the  final  photographs  were  obtained  by  running  one  of  the  allowed  functions  on  some  image  taken 
with  the  camera. 

An  additional  desirable  property  is  succinctness:  the  size  of  the  signature  should  only  depend  on  the  size 
of  the  output  f(m)  and  the  security  parameter  (or  just  the  security  parameter),  rather  than  the  size  of  the 
circuit  for  computing  /. 

Functional  Pseudorandomness 

Pseudorandom  functions,  introduced  by  Goldreiclr,  Goldwasser,  and  Micali  [GGM86],  are  a  family  of  indexed 
functions  F  =  {.Fs}  such  that:  (1)  given  the  index  s,  Fs  can  be  efficiently  evaluated  on  all  inputs  (2)  no 
probabilistic  polynomial-time  algorithm  without  s  can  distinguish  evaluations  Fa{xi)  for  inputs  xfs  of  its 
choice  from  random  values.  Pseudorandom  functions  are  useful  for  numerous  symmetric-key  cryptographic 
applications,  including  generating  passwords,  identify-friend-or-foe  systems,  and  symmetric-key  encryption 
secure  against  chosen  ciphertext  attacks.  In  the  public-key  setting,  there  is  a  construction  of  digital  signatures 
from  pseudorandom  functions  [BG89],  via  the  following  paradigm:  one  may  publish  a  commitment  to  secret 
key  s  and  henceforth  be  able  to  prove  that  y  =  Fs(x )  for  a  pair  (x,y)  via  a  non-interactive  zero- knowledge 
(NIZK)  proof. 

In  this  work,  we  extend  pseudorandom  functions  to  a  primitive  which  we  call  functional  pseudorandom 
functions  (F-PRF).  The  idea  is  that  in  addition  to  a  master  secret  key  (that  can  be  used  to  evaluate  the 
pseudorandom  function  Fs  on  any  point  in  the  domain),  there  are  additional  secret  keys  skf  per  function  /, 
which  allow  one  to  evaluate  Fs  on  any  y  for  which  there  exists  x  such  that  f(x)  =  y  (i.e  y  €  Range(f)) .  An 
immediate  application  of  such  a  construct  is  to  specify  succinctly  the  randomness  to  be  used  by  parties  in  a 
randomized  distributed  protocol  with  potentially  faulty  players,  so  as  to  force  honest  behavior.  A  centralized 
authority  holds  a  description  of  an  index  s  of  a  pseudorandom  function  Fs.  One  may  think  of  this  authority 
as  providing  a  service  which  dispenses  pseudorandomness  (alternatively,  the  secret  s  can  be  shared  among 
players  in  an  MPC).  The  authority  provides  each  party  id  with  a  secret  key  Sid  which  enables  party  id  to  (1) 
evaluate  Fs(y)  whenever  y  =  “id\\h” ,  where  h  corresponds  to  say  the  public  history  of  communication,  and 
(2)  use  Fs(y)  as  her  next  sequence  of  coins  in  the  protocol.  To  prove  that  the  appropriate  randomness  was 
used,  id  can  utilize  NIZK  proofs.  An  interesting  open  question  is  how  to  achieve  a  verifiable  F-PRF,  where 
there  is  additional  information  vks  that  can  be  used  to  verify  that  a  given  pair  ( x,Fs(x ))  is  valid,  without 
assuming  the  existence  of  an  honestly  generated  common  reference  string,  as  in  the  NIZK  setting.  Note  that 
in  this  example  the  function  f(x)  =  y  is  simply  the  function  which  appends  the  string  prefix  id  to  x.  We 
note  that  there  are  many  other  ways  to  force  the  use  of  proper  randomness  in  MPC  protocols  by  dishonest 
parties,  starting  with  the  classical  paradigm  [GM82,  GMW86]  where  parties  interact  to  execute  a  “coin  flip 
in  the  well”  protocol  forcing  players  to  use  the  results  of  these  coins,  but  we  find  the  use  of  F-PRF  appealing 
in  its  simplicity,  lack  of  interaction  and  potential  efficiency. 

The  notion  of  functional  pseudorandom  functions  has  many  variations.  One  natural  variant  that  immedi¬ 
ately  follows  is  pseudorandom  functions  with  selective  access:  start  with  a  pseudorandom  function  as  defined 
in  [GGM86],  and  add  the  ability  to  generate  secondary  keys  skp{  (per  predicate  If)  which  enable  computing 
Fs(x)  whenever  Pi(x)  =  1.  This  is  a  special  case  of  F-PRF,  as  we  can  take  the  secret  key  for  predicate  Pi 
to  be  skfi  where  fi(x)  =  x  if  Pi{x)  =  1  and  _L  otherwise.  The  special  case  of  punctured  PRFs,  in  which 
secondary  keys  allow  computing  Fs  (x)  on  all  inputs  except  one,  is  similarly  implied  and  has  recently  been 
shown  to  have  important  applications  (e.g.,  [SW13,  HSW13]).  Another  variant  is  hierarchical  pseudorandom 
functions,  with  an  additional  property  that  parties  with  functional  keys  skf  may  also  generate  subordinate 
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keys  skg  for  functions  g  of  the  form  g  =  f  o  f  (i.e.,  first  evaluate  some  function  /',  then  evaluate  /).  Note 
that  the  range  of  such  composition  g  is  necessarily  contained  within  the  range  of  /. 

Independent  Work.  A  preliminary  version  of  this  work  appeared  in  a  Masters  Thesis  submitted  on 
May  22,  2013.  We  note  that  independently  (and  unknown  to  the  authors)  the  notion  of  pseudorandom 
functions  with  selective  access  was  studied  by  Boneh- Waters  under  the  name  of  constrained  pseudorandom 
functions  [BW13]  and  by  Kiayias,  Papadopoulos,  Triandopoulos  and  Zacharias  under  the  name  delegatable 
pseudorandom  functions  [KPTZ13].  Subsequent  to  our  posting  of  an  earlier  manuscript  of  this  work,  [BF13] 
and  [BMS13]  have  additionally  posted  similar  results  on  functional  signatures. 

1.1  Our  Results  on  Functional  Signatures  and  Their  Applications 

We  provide  a  construction  of  functional  signatures  achieving  function  privacy  and  succinctness,  assuming 
the  existence  of  succinct  non-interactive  arguments  of  knowledge  (SNARKS)  and  (standard)  non-interactive 
zero-knowledge  arguments  of  knowledge  (NIZKAoKs)  for  NP  languages. 

As  a  building  block,  we  first  give  a  construction  of  a  functional  signature  scheme  that  is  not  succinct  or 
function  private,  based  on  a  much  weaker  assumption:  the  existence  of  one-way  functions. 

Theorem  1.1  (Informal).  Based  on  any  one-way  function,  there  exists  a  functional  signature  scheme  that 
supports  signing  keys  for  any  function  f  computable  by  a  polynomial- sized  circuit.  This  scheme  satisfies  the 
unforgeability  requirement  for  functional  signatures,  but  not  function  privacy  or  succinctness. 

Overview  of  the  construction:  The  master  signing  and  verification  keys  for  the  functional  signature 
scheme  will  correspond  to  a  key  pair,  (msk,  mvk),  in  an  underlying  (standard)  signature  scheme. 

To  generate  a  signing  key  for  a  function  /,  we  do  the  following.  First,  sample  a  fresh  signing  and 
verification  key  pair  (sk',vk')  in  the  underlying  signature  scheme,  and  sign  the  concatenation  /|vk'  using 
msk.  The  signing  key  for  /  consists  of  this  signature  together  with  sk'.  Given  this  signing  key,  a  user 
can  sign  any  message  m*  =  /(m)  by  signing  m  using  sk',  and  outputting  this  signature,  together  with  the 
signature  of  / |vk'  given  as  part  of  sk f. 

We  then  now  show  how  to  use  a  SNARK  system,  together  with  this  initial  construction,  to  construct  a 
succinct,  function-private  functional  signature  scheme. 

A  SNARK  system  for  an  NP  language  L  with  corresponding  relation  R  is  an  extractable  proof  system 
where  the  size  of  a  proof  is  sublinear  in  the  size  of  the  witness  corresponding  to  an  instance.  SNARK  schemes 
have  been  constructed  under  various  non-falsifiable  assumptions.  Bitansky  et  al.  [BCCT13]  construct  zero- 
knowledge  SNARKs  where  the  length  of  the  proof  and  the  verifier’s  running  time  are  bounded  by  a  polynomial 
in  the  security  parameter,  and  the  logarithm  of  running  time  of  the  corresponding  relation  R{x,  w),  assuming 
the  existence  of  collision  resistance  hash  functions  and  a  knowledge  of  exponent  assumption.2  (More  details 
are  given  in  Section  2.3.) 

Theorem  1.2  (Informal).  Assuming  the  existence  of  succinct  non-interactive  arguments  of  knowledge  (SNARKs), 
NIZKAoK  for  NP  languages,  and  a  functional  signature  scheme  that  is  not  necessarily  function-private  or 
succinct,  there  exists  a  succinct,  function-private  functional  signature  scheme  that  supports  signing  keys  for 
any  function  f  computable  by  a  polynomial- sized  circuit. 

Overview  of  the  construction:  Our  construction  makes  use  of  non-succinct,  non-function-private  func¬ 
tional  signature  scheme  FS1  (which  exists  based  on  one-way  functions  by  our  construction  above),  and  a 
zero-knowledge  SNARK  system  for  NP. 

In  the  setup  algorithm  for  our  functional  signature  scheme,  we  sample  a  key  pair  (msk,  mvk)  for  the 
functional  signature  scheme  FS1,  and  common  reference  string  crs  for  the  SNARK  system.  We  use  msk  as 

2In  [BCCT12],  Bitansky  et  al.  also  show  that  any  SNARK  +  NIZKAoK  directly  yield  zero-knowledge  (ZK)-SNARK  with 
analogous  parameters. 
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the  new  master  singing  key  and  (mvk,crs)  as  the  new  master  verification  key.  The  key  generation  algorithm 
is  the  same  as  in  the  underlying  functional  signature  scheme  FS1.  To  sign  a  message  m*  using  a  resulting  key 
sky,  we  generate  a  zero-knowledge  SNARK  for  the  following  statement:  3er  such  that  a  is  a  valid  signature 
of  to*  under  mvk  in  the  functional  signature  scheme  FS1.  To  verify  the  signature,  we  run  the  verification 
algorithm  for  the  SNARK  argument  system. 

Resorting  to  non-falsifiable  assumptions,  albeit  strong,  seems  necessary  to  obtain  succinctness  for  func¬ 
tional  signatures.  We  show  that,  given  a  functional  signature  scheme  with  short  signatures,  we  can  construct 
a  SNARG  system. 

Theorem  1.3  (Informal).  If  there  exists  a  functional  signature  scheme  supporting  keys  for  all  polynomial¬ 
sized  circuits  /,  that  has  short  signatures  (i.e  of  size  poly(k )  •  (|/(to)|  +  |?n|)°^1')  for  security  parameter  k), 
then  there  exists  a  SNARG  scheme  with  preprocessing  for  any  language  L  €  NP  with  proof  size  poly(k)  ■ 
(|w|  +  la’I)0^1),  where  w  is  the  witness  and  x  is  the  instance. 

The  main  idea  in  the  SNARG  construction  is  for  the  verifier  (CRS  generator)  to  give  out  a  single  signing 
key  sky  for  a  function  whose  range  consists  of  exactly  those  strings  that  are  in  L.  Then,  with  sky,  the  prover 
will  be  able  to  sign  only  those  messages  x  that  are  in  the  language  L,  and  thus  can  use  this  (short)  signature 
as  his  proof. 

Gentry  and  Wiclis  showed  in  [GW11]  that  SNARG  schemes  with  proof  size  poly(k)  ■  (|u>|  +  |x|)°W  cannot 
be  obtained  using  black-box  reductions  to  falsifiable  assumptions.  We  can  thus  conclude  that  in  order  to 
obtain  a  functional  signature  scheme  with  signature  size  poly{k )  •  (|/(to)|  +  |m|)°(-1')  we  must  either  rely  on 
non-falsifiable  assumptions  (as  in  our  SNARK  construction)  or  make  use  of  non  black-box  techniques. 

Finally,  we  can  construct  a  scheme  which  satisfies  unforgeability  and  functional  privacy  but  not  succinct¬ 
ness  based  on  the  weaker  assumption  of  non-interactive  zero-knowledge  arguments  of  knowledge  (NIZKAoK) 
for  NP. 

Theorem  1.4  (Informal).  Assuming  the  existence  of  non-interactive  zero-knowledge  arguments  of  knowledge 
(NIZKAoK)  for  NP,  there  exists  a  functional  signature  scheme  that  supports  signing  keys  for  any  function 
f  computable  by  a  polynomial- sized  circuit.  This  scheme  satisfies  function  privacy,  but  not  succinctness:  the 
size  of  the  signature  is  dependent  on  the  size  of  f  and  m. 

Overview  of  the  construction:  The  construction  is  analogous  to  the  SNARK-based  construction  in  the 
previous  construction,  with  the  SNARK  system  replaced  with  a  NIZKAoK  system.  Namely,  a  signature  will 
be  a  NIZKAoK  for  the  following  statement:  3a  such  that  a  is  a  valid  signature  of  to*  under  mvk,  in  an 
underlying  non-succinct,  non- function-private  functional  signature  scheme,  as  before  (recall  such  a  scheme 
exists  based  on  OWF).  The  signature  size  is  now  polynomial  in  the  size  of  er,  which,  if  to*  =  /(to),  and 
sigma  was  generated  using  sky,  is  itself  polynomial  in  the  security  parameter,  \m\,  and  |/|. 

1.1.1  Relation  to  Delegation: 

Functional  signatures  are  highly  related  to  delegation  schemes.  A  delegation  scheme  allows  a  client  to 
outsource  the  evaluation  of  a  function  /  to  a  server,  while  allowing  the  client  to  verify  the  correctness  of 
the  computation  more  efficiently  than  computing  the  function  himself.  We  show  that  given  any  functional 
signature  scheme  supporting  a  class  of  functions  P ,  we  can  obtain  a  delegation  scheme  in  the  preprocessing 
model  for  functions  in  P ,  with  related  parameters. 

Theorem  1.5  (Informal).  If  there  exists  afunctional  signature  scheme  for  function  class  P,  with  signature 
size  s(k),  and  verification  time  t(k),  then  there  exists  a  one-round  delegation  scheme  for  functions  in  P, 
with  server  message  size  s(k)  and  client  verification  time  t(k). 

Overview  of  the  construction:  The  client  can  give  the  server  a  key  skyv  for  the  function  f'(x)  =  (f(x)\x). 
To  prove  that  y  =  f(x),  the  prover  gives  the  client  a  signature  of  y\x,  which  he  could  only  have  obtained 
if  y\x  is  in  the  range  of  /';  that  is,  if  y  =  f(x).  The  length  of  a  proof  is  equal  to  the  length  of  a  signature 
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in  the  functional  signature  scheme,  s(k),  and  the  verification  time  for  the  delegation  scheme  is  equal  to  the 
verification  time  of  the  functional  signature  scheme. 

1.2  Summary  of  our  Results  on  Functional  Pseudorandom  Functions  and  Se¬ 
lective  Pseudorandom  Functions 

We  present  formal  definitions  and  constructions  of  functional  pseudorandom  functions  (F-PRF)  and  pseu¬ 
dorandom  functions  with  selective  access  (PRF-SA).  In  particular,  we  present  a  construction  based  on  the 
existence  of  one-way  functions  of  a  functional  pseudorandom  function  family  supporting  the  class  of  prefix 
-fixing  functions.  Our  construction  is  based  on  the  Goldreich-Goldwasser-Micali  (GGM)  tree-based  PRF 
construction  [GGM86]. 

Theorem  1.6  (Informal).  Assuming  the  existence  of  OWF,  there  exists  a  functional  PRF  that  supports 
keys  for  the  following  class  of  functions  related  to  prefix  matching:  Fpre  =  {fz\z  €  {0,  l}m,ra  <  n},  where 
fz{x)  =  x  if  z  is  a  prefix  of  x,  and  _L  otherwise.  The  pseudorandomness  property  holds  against  a  selective 
adversary,  who  declares  the  functions  he  will  query  before  seeing  the  public  parameters. 

We  remark  that  one  can  directly  obtain  a  fully  secure  F-PRF  for  J-p re,  in  which  security  holds  against  an 
adversary  who  adaptively  requests  key  queries,  from  our  selectively  secure  construction,  with  a  loss  of  2~n 
in  security  for  each  functional  secret  key  sk^  queried  by  the  adversary.  This  is  achieved  simply  by  guessing 
the  adversary’s  query  fz  £  Fpre.  For  appropriate  choices  of  the  input  length  n,  security  of  the  underlying 
OWF,  and  number  of  key  queries,  this  still  provides  the  required  security. 

Overview  of  the  construction.  We  show  that  the  original  Goldreich-Goldwasser-Micali  (GGM)  tree- 
based  construction  [GGM86]  provides  the  desired  functionality,  where  the  functional  key  sk f  corresponding 
to  a  prefix-fixing  function  fz(x)  =  2122  ■  ■  •  zzXi+ 1  ■  ■  ■  xn  will  be  given  by  the  partial  evaluation  of  the  PRF 
down  the  tree,  at  the  node  corresponding  to  prefix  Z\Z%  ■  ■  ■  zz. 

This  partial  evaluation  clearly  enables  a  user  to  compute  all  possible  continuations  in  the  evaluation  tree, 
corresponding  to  the  output  of  the  PRF  on  any  input  possessing  prefix  z.  Intuitively,  security  holds  since 
the  other  partial  evaluations  at  this  level  i  in  the  tree  still  appear  random  given  the  evaluation  sk f  (indeed, 
this  corresponds  to  a  truncated  i-bit  input  GGM  construction). 

Punctured  pseudorandom  functions.  Punctured  pseudorandom  functions  [SW13]  are  a  special  case 
of  functional  PRFs  where  one  can  generate  keys  for  the  function  family  T  =  {fx(y)  =  y  if  y  x,  and  _L 
otherwise}.  Namely,  a  key  for  function  fx  allows  one  to  compute  the  pseudorandom  function  on  any  input 
except  for  x.  Punctured  PRFs  have  recently  proven  useful  as  one  of  the  main  techniques  used  in  proving 
the  security  of  various  cryptographic  primitives  based  on  the  existence  of  indistinguishability  obfuscation. 
Some  examples  include  a  construction  of  public-key  encryption  from  symmetric-key  encryption  and  the  con¬ 
struction  of  deniable  encryption  given  by  Saliai  and  Waters  in  [SW13],  as  well  as  an  instantiation  of  random 
oracles  with  a  concrete  hash  function  for  full-domain  hash  applications  by  Hohenberger  et  al.  in  [HSW13]. 

We  note  that  the  existence  of  a  functional  PRF  for  the  prefix-fixing  function  family  gives  a  construction 
of  punctured  PRFs.  A  key  that  allows  one  to  compute  the  PRF  on  all  inputs  except  x  =  x\ . . .  xn  consists  of 
n  functional  keys  for  the  prefix-fixing  function  family  for  prefixes:  x\,  X1X2,  X1X2X3  . .  .X1X2  ■  ■  .xn-ixn.  We 
remark  that  while  n  prefix-matching  keys  are  revealed,  there  are  only  2n  such  sets  of  keys  (corresponding  to 
the  2"  choices  for  the  punctured  input  x),  and  thus  we  lose  only  2~n  security  when  complexity  leveraging 
from  selective  to  full  security.  For  appropriate  choice  of  underlying  OWF  security,  this  yields  fully  secure 
punctured  PRFs  for  any  desired  poly-sized  inputs,  based  on  OWFs. 

Corollary  1.7.  Assuming  the  existence  of  OWF,  there  exists  a  (fully)  secure  punctured  PRF  for  any  desired 
poly-size  input  length. 
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Other  notions.  Our  construction  has  the  additional  beneficial  property  of  hierarchical  key  generation'. 
i.e. ,  a  party  with  a  functional  key  sk^  for  a  prefix  z  may  generate  valid  “subordinate”  functional  keys  sk f  , 
for  any  prefix  z'  =  z |*.  That  is,  we  prove  the  following  additional  statement. 

Corollary  1.8  (Informal).  Assuming  the  existence  of  OWF,  there  exists  a  hierarchical  functional  PRF  for 
the  class  of  functions  Fpre. 

Recall  that  we  can  also  view  the  prefix-matching  function  as  a  predicate  allowing  only  signatures  of 
message  that  begin  with  a  prefix  z.  As  an  immediate  corollary  of  the  above,  we  achieve  (hierarchical) 
functional  PRFs  with  selective  access  for  the  corresponding  class  of  prefix-matching  predicates: 

Corollary  1.9  (Informal).  Assuming  the  existence  of  OWF,  there  exists  a  (hierarchical)  functional  PRF  with 
selective  access  for  the  class  of  prefix-matching  predicates  Vpre  =  {Pz\z  £  {0, 1  }m,m  <  n},  where  Pz(%)  =  1 
if  z  is  a  prefix  of  x,  and  0  otherwise.  The  pseudorandomness  property  holds  against  a  selective  adversary  ( or 
against  an  adaptive  adversary,  with  a  security  loss  of  2~n  per  key  query). 

1.3  Open  Problems 

The  size  of  the  signatures  in  our  SNARK-based  functional  signature  scheme  is  dependent  only  of  the  security 
parameter,  but  it  is  based  on  non-falsifiable  assumptions.  In  Section  4,  we  show  that,  for  a  functional 
signature  scheme  that  supports  signing  keys  for  a  function  /,  a  signature  of  y  =  /( x)  cannot  be  sublinear 
in  the  size  of  y  or  x ,  unless  the  construction  is  either  proven  secure  under  a  non-falsifiable  assumption  or 
makes  use  of  non  blac-kbox  techniques.  No  lower  bound  exists  that  relates  the  size  of  the  signature  to 
the  description  of  /.  Constructing  functional  signatures  with  short  (sublinear  in  the  size  of  the  functions 
supported)  signatures  and  verification  time  under  falsifiable  assumptions  remains  an  open  problem. 

An  interesting  problem  left  open  by  this  work  is  to  construct  a  functional  PRF  that  is  also  verifiable.  A 
verifiable  PRF,  introduced  by  Micali,  Rabin  and  Vadhan  in  [MRV99]  has  the  property  that,  in  addition  to 
the  secret  seed  of  the  PRF,  there  is  a  corresponding  public  key  and  a  way  to  generate  a  proof  ttx  given  the 
secret  seed,  such  that  given  the  public  key,  x,  y  and  nx  one  can  check  that  y  is  indeed  the  output  of  the 
PRF  on  x.  The  public  parameters  and  the  proof  should  not  allow  an  adversary  to  distinguish  the  outputs 
of  the  PRF  from  random  on  any  point  for  which  the  adversary  has  not  received  a  proof.  A  construction  of 
standard  verifiable  PRFs  was  given  by  Lysyanskaya  based  on  the  many-DH  assumption  in  bilinear  groups 
in  [Lys02], 

One  may  extend  the  notion  of  verifiable  PRFs  to  the  setting  of  functional  PRFs  by  enabling  a  user  with 
functional  key  sk  f  to  also  generate  verifiable  proofs  irx  of  correctness  for  evaluations  of  the  PRF  on  inputs  x 
for  which  his  key  allows.  We  note  that  such  a  verifiable  functional  pseudorandom  function  family  supporting 
keys  for  a  function  class  T ,  implies  a  functional  signature  scheme  that  supports  signing  keys  for  the  same 
function  class,  so  the  lower  bound  mentioned  for  functional  signatures  applies  also  to  the  proofs  output  in 
the  verifiable  functional  PRF  context. 

1.4  Other  Related  Work 

Functional  Encryption.  This  work  is  inspired  by  recent  results  on  the  problem  of  functional  encryption, 
which  was  introduced  by  Sahai  and  Waters  in  [SW05],  and  formalized  by  Boneh  et  al.  in  [BSW11].  In  the 
past  few  years  there  has  been  significant  progress  on  constructing  functional  encryption  schemes  for  general 
classes  of  functions  (e.g.,  [GVW12,  GKP+12,  GKP+13]).  In  this  setting,  a  party  with  access  to  a  master 
secret  key  can  generate  secret  keys  for  any  function  /,  which  allows  a  third  party  who  has  this  secret  key 
and  an  encryption  of  a  message  m  to  learn  f{m),  but  nothing  else  about  to.  In  [GKP+12],  Goldwasser  et 
al.  construct  a  functional  encryption  scheme  that  can  support  general  functions,  where  the  ciphertext  size 
grows  with  the  maximum  depth  of  the  functions  for  which  keys  are  given.  They  improve  this  result  in  a 
follow-up  work  [GKP+13],  which  constructs  a  functional  encryption  scheme  that  supports  decryption  keys 
for  any  Turing  machine.  Both  constructions  are  secure  according  to  a  simulation-based  definition,  as  long  as 
a  single  key  is  given  out.  In  [AGVW13],  Agrawal  et  al.  show  that  constructing  functional  encryption  schemes 
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achieving  this  notion  of  security  in  the  presence  of  an  unbounded  number  of  secret  keys  is  impossible  for 
general  functions.  In  contrast,  no  such  impossibility  results  are  known  in  the  setting  of  functional  signatures. 

Connections  to  Obfuscation.  The  goal  of  program  obfuscation  is  to  construct  a  compiler  O  that  takes 
as  input  a  program  P  and  outputs  a  program  0{P )  that  preserves  the  functionality  of  P,  but  hides  all  other 
information  about  the  original  program.  In  [BGI+01]  Barak  et  al.  formalize  this,  requiring  that,  for  every 
adversary  having  access  to  an  obfuscation  of  P  that  outputs  a  single  bit,  there  exists  a  simulator  that  only 
has  blackbox  access  to  P  and  whose  output  is  statistically  close  to  the  adversary’s  output: 

Pr [A{0(P))  =  1]  -  Pr[S,p(llpl)  =  1]  =  negl(|P|) 

Barak  et  al.  [BGI+01]  construct  a  class  of  programs  and  an  adversary  for  which  no  simulator  can  exist, 
therefore  showing  that  this  definition  is  not  achievable  for  general  functions.  Furthermore,  in  [GK05], 
Goldwasser  and  Kalai  give  evidence  that  several  natural  cryptographic  algorithms,  including  the  signing 
algorithm  of  any  unforgeable  signature  scheme,  are  not  obfuscatable  with  respect  to  this  strong  definition. 

Consider  the  function  Sign  o  /,  where  Sign  is  the  signing  algorithm  of  an  unforgeable  signature  scheme, 
/  is  an  arbitrary  function  and  o  denotes  function  composition.  Based  on  the  results  in  [GK05]  we  would 
expect  this  function  not  to  be  obfuscatable  according  to  the  blackbox  simulation  definition.  A  meaningful 
relaxation  of  the  definition  is  that,  while  having  access  to  an  obfuscation  of  this  function  might  not  hide 
all  information  about  the  signing  algorithm,  it  does  not  completely  reveal  the  secret  key,  and  does  not 
allow  one  to  sign  messages  that  are  not  in  the  range  of  /.  In  our  function  signature  scheme,  the  signing 
key  corresponding  to  a  function  /  achieves  exactly  this  definition  of  security,  and  we  can  think  of  it  as  an 
obfuscation  of  Sign  o  /  according  to  this  relaxed  definition.  Indeed  it  has  recently  come  to  our  attention  that 
Barak  in  an  unpublished  manuscript  has  considered  delegatable  signatures,  a  highly  related  concept. 

Homomorphic  Signatures.  Another  related  problem  is  that  of  homomorphic  signatures.  In  a  homomor¬ 
phic  signature  scheme,  a  user  signs  several  messages  with  his  secret  key.  A  third  party  can  then  perform 
arbitrary  computations  over  the  signed  data,  and  obtain  a  new  signature  that  authenticates  the  resulting 
message  with  respect  to  this  computation.  In  [GW12],  Gennaro  and  Wichs  construct  homomorphic  message 
authenticators,  which  satisfy  a  weaker  unforgeability  notion  than  homomorphic  signatures,  in  that  the  verifi¬ 
cation  is  done  with  respect  to  a  secret  key  unknown  to  the  adversary.  They  impose  an  additional  restriction 
on  the  adversary,  who  is  not  allowed  to  make  verification  queries.  For  homomorphic  signature  schemes  with 
public  verification,  the  most  general  construction  of  Boneh  and  Freeman  [BF11]  only  allows  the  evaluation  of 
multivariate  polynomials  on  signed  data.  Constructing  homomorphic  signature  schemes  for  general  functions 
remains  an  open  problem. 

Signatures  of  correct  computation.  Papamanthou,  Shi  and  Tamassia  considered  a  notion  of  functional 
signatures  under  the  name  “signatures  of  correct  computation”  in  [PST13].  They  give  constructions  for 
schemes  that  support  operations  over  multivariate  polynomials,  such  as  polynomial  evaluation  and  differ¬ 
entiation.  Their  constructions  are  secure  in  the  random  oracle  model  and  allow  efficient  updates  to  the 
signing  keys:  the  keys  can  be  updated  in  time  proportional  to  the  number  of  updated  coefficients.  In  con¬ 
trast,  our  constructions  that  support  signing  keys  for  general  functions,  assuming  the  existence  of  succinct 
non-interactive  arguments  of  knowledge. 

Independent  work.  Finally,  as  mentioned  earlier,  related  notions  to  functional  PRFs  appear  in  the 
concurrent  and  independent  works  [BW13,  KPTZ13].  Based  on  the  Multilinear  Decisional  DifRe-Hellman 
assumption  (a  recently  coined  assumption  related  to  existence  of  secure  multilinear  maps),  [BW13]  show  that 
PRFs  with  Selective  Access  can  be  constructed  for  all  predicates  describable  as  polynomial-sized  circuits. 
We  remark  that  this  is  not  equivalent  to  functional  PRFs  for  polynomial-sized  circuits,  which  additionally 
captures  NP  relations  (i.e.,  the  predicate  y  €  Range(f)  may  not  be  efficiently  testable  directly). 

Subsequent  to  our  posting  of  an  earlier  manuscript  of  this  work,  [BF13]  and  [BMS13]  have  additionally 
posted  similar  results  on  functional  signatures. 
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1.5  Overview  of  the  paper 

In  Section  2,  we  describe  several  primitives  which  will  be  used  in  our  constructions.  In  Section  3,  we  give  a 
formal  definition  of  functional  signature  schemes,  and  present  three  constructions  satisfying  the  definition.  In 
Section  4,  we  show  how  to  construct  delegation  schemes  and  succinct  non-interactive  arguments  (SNARGs) 
from  functional  signatures  schemes.  In  Section  5,  we  give  a  formal  definition  of  functional  pseudorandom 
functions  and  pseudorandom  functions  with  selective  access,  and  present  a  sample  construction  for  the 
prefix-fixing  function  family. 

2  Preliminaries 

In  this  section  we  define  several  cryptographic  primitives  that  are  used  in  our  constructions. 

2.1  Signature  Schemes 

Definition  2.1.  A  signature  scheme  for  a  message  space  A4  is  a  tuple  (Gen,  Sign,  Verify): 

•  Gen(lfc)  — »  (sk,vk):  the  key  generation  algorithm  is  a  probabilistic,  polynomial-time  algorithm  which 
takes  as  input  a  security  parameter  lfc,  and  outputs  a  signing  and  verification  key  pair  (sk,  vk). 

•  Sign(sk,  to)  — >  a:  the  signing  algorithm  is  a  probabilistic  polynomial  time  algorithm  which  is  given  the 
signing  key  sk  and  a  message  m  £  At  and  outputs  a  string  a  which  we  call  the  signature  of  m. 

•  Verify  (vk,  m,  er)  — >-  {0,1}:  the  verification  algorithm  is  a  polynomial  time  algorithm  which,  given  the 
verification  key  vk,  a  message  to,  and  signature  a,  returns  1  or  0  indicating  whether  the  signature  is 
valid. 

A  signature  scheme  should  satisfy  the  following  properties: 

Correctness 


V(sk,vk)  4—  Gen(l k),\/m  £  4—  Sign(sk,  m), 

Verify(vk,  to,  a)  — >  1 

Unforgeability  under  chosen  message  attack 

A  signature  scheme  is  unforgeable  under  chosen  message  attack  if  the  winning  probability  of  any  probabilistic 
polynomial  time  adversary  in  the  following  game  is  negligible  in  the  security  parameter: 

•  The  challenger  samples  a  signing,  verification  key  pair  (sk,  vk)  4—  Gen(lfe)  and  gives  vk  to  the  adversary. 

•  The  adversary  requests  signatures  from  the  challenger  for  a  polynomial  number  of  messages.  In  round 
i,  the  adversary  chooses  to,  based  on  mi,  a i, . . .  TOj_i ,  cq_ i,  and  receives  cr*  4—  Sign(sk,  to*). 

•  The  adversary  outputs  a  signature  cr*  and  a  message  to*,  and  wins  if  Verify  (vk,  to*,  a*)  1  and  the 

adversary  has  not  previously  received  a  signature  of  ?n*  from  the  challenger. 

Lemma  2.2  ([Rom90]).  Under  the  assumption  that  one-way  functions  exist,  there  exists  a  signature  scheme 
which  is  secure  against  existential  forgery  under  adaptive  chosen  message  attacks  by  polynomial-time  algo¬ 
rithms. 

2.2  Non-Interactive  Zero  Knowledge 

Definition  2.3.  [FLS90,  BFM88,  BSMP91]:  II  =  (Gen,  Prove,  Verify,  S  =  (<Scrs,  6>Proof))  is  an  efficient  adap¬ 
tive  NIZK  argument  system  for  a  language  L  £  NP  with  witness  relation  1Z  if  Gen,  Prove,  Verify,  <Scrs,  d>Proof 
are  all  PPT  algorithms,  and  there  exists  a  negligible  function  /i  such  that  for  all  k  the  following  three 
requirements  hold. 
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•  Completeness:  For  all  x,w  such  that  lZ(x,w)  =  1,  and  for  all  strings  crs  4—  Gen(lfe), 

Verify(crs,  x.  Prove(x,  w,  crs))  — >  1. 

•  Adaptive  Soundness:  For  all  PPT  adversaries  A,  if  crs  4—  Gen(lfe)  is  sampled  uniformly  at  random, 
then  the  probability  that  A(crs)  will  output  a  pair  (x,n)  such  that  x  fL  L  and  yet  Verify(crs,  x,  tt)  — ►  1, 
is  at  most  p(k). 

•  Adaptive  Zero-Knowledge:  For  all  PPT  adversaries  A, 

|  Pi'[Exp_4(fc)  -)>  1]  -  Pr[Exp^(fc)  -»  1]|  <  fi(k), 

where  the  experiment  Exp_4(fc)  is  defined  by: 

crs  4—  Gen(lfe) 

Return  AProve(crs’-’')(crs) 

and  the  experiment  Exp^(fc)  is  defined  by: 

(crs,  trap)  4—  <Scrs(lfc) 

Return  A8' (crs’ trap’ '’^(crs), 

where  S"(crs,  trap,  x,  w)  =  5Proof  (crs,  trap,  x). 

We  next  define  the  notion  of  a  NIZK  argument  of  knowledge. 

Definition  2.4.  Let  II  =  (Gen,  Prove,  Verify,  S  =  (Scrs,  SProof))  be  an  efficient  adaptive  NIZK  argument 
system  for  an  NP  language  L  £  NP  with  a  corresponding  NP  relation  7Z.  We  say  that  II  is  a  argument-of- 
knowledge  if  there  exists  a  PPT  algorithm  E  =  (Ei,  E2)  such  that  for  every  adversary  A, 

|  Pr[A(crs)  — >  l|crs  Gen(lfe)]  —  Pr[A(crs)  — >  1 1 (crs,  trap)  •<—  Ei(lfc)]|  =  negl(fc) 

For  every  PPT  adversary  A, 

Pr[A(crs)  ->  (x,7r)  and  E(crs,  trap,  x,  tt)  w*  s.t.  Verify(crs,  x,  tt)  1  and  (x,w*)  £  1 Z\ 

=  negl(fe), 

where  the  probabilities  are  taken  over  (crs,  trap)  4—  Ei(lfc),  and  over  the  random  coin  tosses  of  the  extractor 
algorithm  E2. 

We  note  that  we  require  the  distributions  over  the  honestly  generated  crs,  and  the  crs  generated  by  the 
extractor  Ei  to  be  statistically  close,  whereas  they  are  often  required  to  be  just  computationally  indistinguish¬ 
able.  However,  if  one  is  satisfied  with  computational  zero  knowledge  (as  is  the  case  for  us),  this  is  actually 
without  loss  of  generality.  Namely,  given  any  NIZKAoK  n  =  (Gen,  Prove,  Verify,  S  =  (<Scrs,  <S>Proof),  E  = 
(Ei,E2))  for  which  the  CRS  output  by  Gen(lfe)  and  Ei(lfe)  are  only  computationally  indistinguishable,  we 
claim  that  the  system  n'  formed  by  using  Ei  also  as  the  honest  CRS  generation  algorithm  (i.e.,  replacing 
Gen)  is  also  a  NIZKAoK,  and  satisfies  our  statistical  indistinguishability  requirement. 

Claim  2.5.  Suppose  n  as  above  is  a  NIZKAoK  for  which  {crs  :  crs  4—  Gen(lfc)}  =  {crs  :  (crs,  trap)  <-  Ei(lfc)} 
are  only  computationally  indistinguishable.  Then  n'  :=  (Ei,  Prove,  Verify, S  =  (<Scrs, <SProof),  E  =  (Ei,E2))  is 
a  NIZKAoK  as  in  Definition  2.f. 
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Proof.  Clearly  extraction  and  adaptive  soundness  are  maintained.  Completeness  must  still  hold  for  any 
statement /witness  pairs  (x,w)  produced  by  an  efficient  adversary,  due  to  the  computational  indistinguisha- 
bility  of  CRSs  generated  by  Gen  and  Ei;  otherwise  there  exists  an  efficient  distinguishing  algorithm  who 
generates  honest  proofs  and  tests  whether  they  verify.  Finally,  adaptive  zero  knowledge  must  hold  for  the 
same  simulator  algorithms  S  =  (<Scrs,  <S>Proof).  Indeed,  for  PPT  adversary  A,  consider  a  third  experiment 
Exp^(fc)  defined  by  generating  (crs, trap)  t—  Ei(lfc),  and  returning  _4Prove^crs’'’')(crs).  That  is,  Exp^(fc)  is 
identical  to  the  real-world  experiment  Exp^(fc)  except  that  the  CRS  is  generated  according  to  Ei  instead 
of  Gen  (and,  in  particular,  corresponds  to  the  real-world  experiment  for  the  modified  scheme  IT).  By  the 
computational  indistinguishability  of  CRSs  generated  by  Gen  and  Ei,  it  holds  that  Exp_4(fc)  and  Exp^(/c)  are 
computationally  indistinguishable.  But  by  the  adaptive  zero  knowledge  property  of  the  original  scheme  II, 
we  have  that  Exp^(/c)  is  computationally  indistinguishable  from  the  simulated  experiment  Exp^(fc).  Thus, 
it  must  be  that  Exp ^(fc)  is  computationally  indistinguishable  from  Exp^(fc):  that  is,  11'  satisfies  adaptive 
zero  knowledge.  □ 

Remark.  There  is  a  standard  way  to  convert  any  NIZK  argument  system  II  to  a  NIZK  argument-of- 
knowledge  system  IT.  The  idea  is  to  append  to  the  crs  a  public  key  pk  corresponding  to  any  semantic  secure 
encryption  scheme.  Thus,  the  common  reference  string  corresponding  to  IT  is  of  the  form  crs'  =  (crs,  pk).  In 
order  to  prove  that  x  €  L  using  a  witness  w,  choose  randomness  r  t—  {0,  l}Po|Tfc);  compute  c  t—  Encpk(w,r) 
and  compute  a  NIZK  proof  7 r,  using  the  underlying  NIZK  argument  system  II,  that  (pk,  x,c)  €  L' ,  where 

L'  =  {(pk,  x,  c)  :  3(u>,  r)  s.t.  (x,  w)  £lZ  and  c  <—  Encpk(u>,  r)}. 

Let  7 t'  =  (7 r,  c)  be  the  proof. 

The  common  reference  string  simulator  Ei  will  generate  a  simulated  crs'  by  generating  (crs,  trap)  using 
the  underlying  simulator  Scrs ,  and  by  generating  a  public  key  pk  along  with  a  corresponding  secret  key  sk. 
Thus,  trap'  =  (trap,sk).  The  extractor  algorithm  E2,  will  extract  a  witness  for  x  from  a  proof  7 d  =  (7 r,c)  by 
using  sk  to  decrypt  the  ciphertext  c. 

We  note  that  the  distribution  over  the  honestly  generated  crs,  and  the  crs  generated  by  Ei  are  statistically 
close,  as  required  in  our  definition  above. 

Lemma  2.6  ([FLS90]).  Assuming  the  existence  of  enhanced  trapdoor  permutations,  there  exists  an  efficient 
adaptive  NIZK  argument  of  knowledge  for  all  languages  in  NP. 

2.3  Succinct  Non-Interactive  Arguments  (SNARGs) 

Definition  2.7.  II  =  (Gen,  Prove,  Verify)  is  a  succinct  non-interactive  argument  for  a  language  L  £  NP  with 
witness  relation  TZ  if  it  satisfies  the  following  properties: 

•  Completeness:  For  all  x,w  such  that  7Z(x,w)  =  1,  and  for  all  strings  crs  Gen(lfc), 

Verify(crs,  x,  Prove(:r,  w,  crs))  =  1. 

•  Adaptive  Soundness:  There  exists  a  negligible  function  p(k),  such  that,  for  all  PPT  adversaries  A, 
if  crs  t—  Gen(lfe)  is  sampled  uniformly  at  random,  then  the  probability  that  A(crs)  will  output  a  pair 
(x,tt)  such  that  x  fL  L  and  yet  Verify(crs,  x,  tt)  =  1,  is  at  most  /z(fc). 

•  Succinctness:  There  exists  an  universal  polynomial  p(-)  that  does  not  depend  on  the  relation  TZ,  such 
that 

\/x,  w  s.t  R(x,  w )  =  1,  crs  <—  Gen(lfc),  7r  t—  Prove(;r,  w,  crs), 

M  <  p(k  +  log  I?) 

where  R  denotes  the  runtime  of  the  relation  associated  with  language  L.  We  note  that  the  definition 
of  succinctness  considered  in  the  lower  bound  of  [GW11]  is  weaker,  in  that  they  require  the  proof  size 
to  only  be  bounded  by  r{k)  •  (|x|  +  |n7| )o(^1^ ,  for  some  polynomial  r(-). 
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Definition  2.8.  A  SNARG  II  =  (Gen,  Prove,  Verify)  is  a  succinct  non-interactive  argument  of  knowl- 
edge(SNARK)  for  a  language  L  £  NP  with  witness  relation  1Z  if  there  exists  a  negligible  function  /x(-) 
such  that,  for  all  PPT  provers  P* ,  there  exists  a  PPT  algorithm  Ep.  =  (E1p.,E2p.)  such  that  for  every 
adversary  A, 

|  Pr[A(crs)  — >  l|crs  Gen(lfc)]  —  Pr[A(crs)  — >  1 1 (crs,  trap)  -s—  E1p*  (lfe)]|  =  p(k), 


and, 

Pr[P*(crs)  — >•  ( x,tt )  and  E2p.  (crs,  trap,  x,  n)  — y  w*  s.t.  Verify(crs,  x,  n)  — >  1  and  (. x,w *)  1Z\ 

=  Kk)- 

where  the  probabilities  are  taken  over  (crs,  trap)  4—  Ep,  (lfc),  and  over  the  random  coin  tosses  of  the  extractor 
algorithm  Ep, . 

Remark  As  in  the  NIZK  definition,  we  require  the  distributions  over  the  honestly  generated  crs,  and 
the  crs  generated  by  the  extractor  Ep,  to  be  statistically  close.  We  note  that  the  SNARK  construction  in 
[BCCT13]  satisfies  a  stronger  definition,  where  the  extraction  process  has  to  work  for  a  honestly  generated 
crs,  without  having  access  to  a  trapdoor. 

Definition  2.9.  A  SNARK  II  =  (Gen,  Prove,  Verify,  E)  is  a  zero-knowledge  SNARK  for  a  language  L  £  NP 
with  witness  relation  7Z  if  there  exist  PPT  algorithms,?  =  (<Scrs,  ?Proof)  satisfing  the  following  property: 
Adaptive  Zero-Knowledge:  For  all  PPT  adversaries  A, 

|  Pr[Exp_4(fc)  -t  1]  -  Pr[Exp^(fc)  1]|  <  fj,(k), 

where  the  experiment  Exp_^(fc)  is  defined  by: 

crs  -f—  Gen(lfe) 

Return  AProve(crs’  ’')(crs) 

and  the  experiment  Exp ^(fc)  is  defined  by: 

(crs,  trap)  <—  <Scrs(lfc) 

Return  As,(crs’traP’  -')(crs), 

where  S'  (crs,  trap,  x,  w)  =  ?Proof  (crs,  trap,  x). 

There  are  several  constructions  of  SNARKs  known,  all  based  on  non-falsifiable  assumptions.  A  falsifiable 
assumption  is  an  assumption  that  can  be  modeled  as  a  game  between  an  efficient  challenger  and  an  adversary. 
Most  standard  cryptographic  assumptions  are  falsifiable.  This  includes  both  general  assumptions  like  the 
existence  of  OWFs,  trapdoor  predicates,  and  specific  assumptions  (discrete  logarithm,  RSA,  LWE,  hardness 
of  factoring). 

Lemma  2.10  ([BCCT13]).  A  SNARK  system  for  any  language  L  £  NP  can  be  constructed  assuming  the 
existence  of  collision-resistant  hash  function  and  knowledge  of  exponent  assumptions. 

Lemma  2.11  ([BCCT12]).  If  there  exist  SNARKs  and  NIZKAoK  for  NP,  then  there  exist  zero-knowledge 
SNARKs  for  all  languages  in  NP. 

In  [GW11]  Gentry  and  Wichs  show  that  no  construction  of  SNARGs,  with  proof  size  bounded  by  r{k)  ■ 
(|x|  +  Iwl)0^,  for  some  polynomial  r(-),  can  be  proved  secure  under  a  black-box  reduction  to  a  falsifiable 
assumption.  A  black-box  reduction  is  one  that  only  uses  oracle  access  to  an  attacker,  and  does  not  use  that 
adversary’s  code  in  any  other  way.  The  definition  of  succinctness  in  [GW11]  is  a  relaxation  of  the  one  in 
definition  Definition  2.8,  which  makes  their  lower  bound  result  stronger. 
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2.4  Delegation  Schemes 

A  delegation  scheme  allows  a  client  to  outsource  the  evaluation  of  a  function  F  to  a  server,  while  allowing 
the  client  to  verify  the  correctness  of  the  computation.  The  verification  process  should  be  more  efficient 
than  computing  the  function.  We  formalize  these  requirements  below,  following  the  definition  introduced  by 
Gennaro  et  al.  in  [GGP10]. 


Definition  2.12  ([GGP10]).  A  delegation  scheme  for  a  function  F  consists  of  a  tuple  of  algorithms  (KeyGen, 

Encode,  Compute,  Verify) 

•  KeyGen(lfe,  F)  — ►  (enc,  evk,  vk):  The  key  generation  algorithm  takes  as  input  a  security  parameter  k 
and  a  function  F,  and  outputs  a  key  enc  that  is  used  to  encode  the  input,  an  evaluation  key  evk  that 
is  used  for  the  evaluation  of  the  function  F,  and  a  verification  key  vk  that  is  used  to  verify  that  the 
output  was  computed  correctly. 

•  Encode(enc,  x)  — >  ax :  The  encoding  algorithm  uses  the  encoding  key  enc  to  encode  the  function  input 
£  as  a  public  value  ax,  which  is  given  to  the  server  to  compute  with. 

•  Compute(evk,  ax)  — >  ( y,ny ):  Using  the  public  evaluation  key,  evk  and  the  encoded  input  ax,  the  server 
computes  the  function  output  y  =  F(x),  and  a  proof  iry  that  y  is  the  correct  output. 

•  Verify(vk,  x,  y:  ^y)  — >  {0,1}:  The  verification  algorithm  checks  the  proof  iry  and  outputs  ^indicating 
that  the  proof  is  correct),  or  0  otherwise. 

We  require  a  delegation  scheme  to  satisfy  the  following  requirements: 

Correctness 

For  all  vk,  x,  y,  ny  such  that  (enc,  evk,  vk)  ■<—  KeyGen(lfc,  F),  <jx  -e-  Encode(enc,  x),  (y,  ny)  -e-  Compute(evk,  ax), 

Verify(vk,  x,  y,  iry)  1 


Authentication 

For  all  PPT  adversaries,  the  probability  that  the  adversary  is  successful  in  the  following  game  is  negligible: 

•  The  challenger  runs  KeyGen(lfe,F)  — ►  (enc,  evk,  vk),  and  gives  (evk,vk)  to  the  adversary. 

•  The  adversary  gets  access  to  an  encoding  oracle,  Oenc(-)  =  Encode(enc,  •). 

•  The  adversary  is  successful  if  it  can  produce  a  tuple  (x,  y,  iry)  such  that  y  ^  F(x)  and  Verify(vk,  x,  y,  ny)  — > 

1. 

Efficient  verification 

Let  T(n)  be  the  running  time  of  the  verification  algorithm  on  inputs  of  size  n.  Let  Tp(n )  be  the  running 
time  of  F  on  inputs  of  size  n.  We  require  the  worst-case  running  time  of  the  verification  algorithm  to  be  sub 
linear  in  the  worst  case  running  time  of  F, 


T(n)  G  o{TF{n )) 

2.5  Pseudorandom  Generators  and  Functions 

Definition  2.13.  A  pseudorandom  generator  (PRG)  is  a  length  expanding  function  prg  :  {0,  l}fe  — >  {0, 1}" 
(for  n  >  k)  such  that  prg (C4)  and  Un  are  computationally  indistinguishable,  where  Uk  is  a  uniformly 
distributed  fc-bit  string  and  Un  is  a  uniformly  distributed  n-bit  string. 

Definition  2.14.  [GGM86]  A  family  of  functions  T  =  {Fs}ses,  indexed  by  a  set  S,  and  where  Fs  :  D  — > 
R  for  all  s,  is  a  pseudorandom  function  (PRF)  family  if  for  a  randomly  chosen  s,  and  all  PPT  A ,  the 
distinguishing  advantage  Prs.s_s[„4'^'')  =  1]  —  Pr^<_  (d^r)  [Ap^  =  1]  is  negligible,  where  ( D  — >  R)  denotes 
the  set  of  all  functions  from  D  to  R. 
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3  Functional  Signatures:  Definition  and  Constructions 

3.1  Formal  Definition 

We  now  give  a  formal  definition  of  a  functional  signature  scheme,  and  explain  in  more  detail  the  unforgeability 

and  function  privacy  properties  a  functional  signature  scheme  should  satisfy. 

Definition  3.1.  A  functional  signature  scheme  for  a  message  space  M,  and  function  family  T  =  {/  :  T> f  — > 

At}  consists  of  algorithms  (FS. Setup,  FS.KeyGen,  FS.Sign,  FS. Verify): 

•  FS.Setup(lfe)  — ►  (msk,  mvk):  the  setup  algorithm  takes  as  input  the  security  parameter  and  outputs  the 
master  signing  key  and  master  verification  key. 

•  FS.KeyGen(msk, /)  — >  sky:  the  key  generation  algorithm  takes  as  input  the  master  signing  key  and  a 
function  /  £  J  (represented  as  a  circuit),  and  outputs  a  signing  key  for  /. 

•  FS.Sign(/,  sky ,  to)  — »  the  signing  algorithm  takes  as  input  the  signing  key  for  a  function 

/  €  T  and  an  input  m  £  T>f,  and  outputs  /(to)  and  a  signature  of  /(to). 

•  FS. Verify(mvk,  m* ,  a)  —>  {0,1}:  the  verification  algorithm  takes  as  input  the  master  verification  key 
mvk,  a  message  in  and  a  signature  a ,  and  outputs  1  if  the  signature  is  valid. 

We  require  the  following  conditions  to  hold: 

Corectness: 

V/  €  J7,  Vm  e  Vf,  (msk,  mvk)  X—  FS.Setup(lfc),  sky  <—  FS.KeyGen(msk,  /),  (m*,cr)  FS.Sign(/,  sky,  m), 

FS.Verify(mvk,  to*,  a)  =  1. 

U  nforgeability : 

The  scheme  is  unforgeable  if  the  advantage  of  any  PPT  algorithm  A  in  the  following  game  is  negligible: 

•  The  challenger  generates  (msk,  mvk)  ■(—  FS.Setup(lfc),  and  gives  mvk  to  A 

•  The  adversary  is  allowed  to  query  a  key  generation  oracle  Okey,  and  a  signing  oracle  Osign,  that  share  a 
dictionary  indexed  by  tuples  (/,  z)  £  JxN,  whose  entries  are  signing  keys:  sky  FS.KeyGen(msk,  /). 
This  dictionary  keeps  track  of  the  keys  that  have  been  previously  generated  during  the  unforgeability 
game.  The  oracles  are  defined  as  follows  : 

-  Okey(/,z)  : 

*  if  there  exists  an  entry  for  the  key  (/,  i)  in  the  dictionary,  then  output  the  corresponding  value, 


*  otherwise,  sample  a  fresh  key  sky  FS.KeyGen(msk, /),  add  an  entry  (/, i)  — ►  sky  to  the 
dictionary,  and  output  sky 

—  Osign  (/)  A  Til)'. 

*  if  there  exists  an  entry  for  the  key  (/,  i)  in  the  dictionary,  then  generate  a  signature  on  f(m) 
using  this  key:  a  x—  FS.Sign(/,  sky,  m). 

*  otherwise,  sample  a  fresh  key  sky  FS.KeyGen(msk, /),  add  an  entry  (/,  z)  — >  sky  to  the 
dictionary,  and  generate  a  signature  on  /(to)  using  this  key:  a  4—  FS.Sign(/,  sky,  m). 

•  The  adversary  wins  if  it  can  produce  (to*,  a)  such  that 
—  FS.Verify(mvk,  to*,  tr)  =  1. 

—  there  does  not  exist  to  such  that  to*  =  /(to)  for  any  /  which  was  sent  as  a  query  to  the  Okey  oracle. 

—  there  does  not  exist  a  (/,  m)  pair  such  that  (/,  m)  was  a  query  to  the  Osign  oracle  and  to*  =  /(to). 

Function  privacy: 

Intuitively,  we  require  the  distribution  of  signatures  on  a  message  m'  generated  via  different  keys  sky  to  be 
computationally  indistinguishable,  even  given  the  secret  keys  and  master  signing  key.  Namely,  the  advantage 
of  any  PPT  adversary  in  the  following  game  is  negligible: 
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•  The  challenger  honestly  generates  a  key  pair  (mvk,  msk)  4—  FS.Setup(lfe)  and  gives  both  values  to  the 
adversary.  (Note  wlog  this  includes  the  randomness  used  in  generation). 

•  The  adversary  chooses  a  function  /o  and  receives  an  (honestly  generated)  secret  key  sk/0  4—  FS.KeyGen(msk,  /o). 

•  The  adversary  chooses  a  second  function  /i  for  which  |/o|  =  |/i|  (where  padding  can  be  used  if  there  is 
a  known  upper  bound)  and  receives  an  (honestly  generated)  secret  key  skf1  4—  FS.KeyGen(msk,  /i). 

•  The  adversary  chooses  a  pair  of  values  mo,  mi  for  which  |m0|  =  |toi|  and  /0(mo)  =  /i(m,i). 

•  The  challenger  selects  a  random  bit  b  4—  {0,1}  and  generates  a  signature  on  the  image  message  in'  = 

/o(mo)  =  /i(mi)  using  secret  key  sk/t,  and  gives  the  resulting  signature  cr  4—  FS.Sign(sk/t, mj)  to  the 
adversary. 

•  The  adversary  outputs  a  bit  b' ,  and  wins  the  game  if  b'  =  b. 

Succinctness: 

There  exists  a  polynomial  s(-)  such  that  for  every  k  €  N,  /  €  T ,  m  G  Vf,  it  holds  with  probability  1 
over  (msk,  mvk)  4—  FS.Setup(lfc);  skf  4—  FS.KeyGen(msk,  /);  (/(m),  a)  FS.Sign(/,  sky,  m)  that  the  resulting 
signature  on  f(m)  has  size  \<j\  <  s(k,  |/(m)|).  In  particular,  the  signature  size  is  independent  of  the  size  \m\ 
of  the  input  to  the  function,  and  of  the  size  |/|  of  a  description  of  the  function  /. 

3.2  Construction 

In  this  section,  we  present  a  construction  of  a  (succinct)  functional  signature  scheme,  based  on  succinct 
non- interactive  arguments  of  knowledge  (SNARKs). 

Theorem  3.2.  Assuming  the  existence  of  SNARKs  for  NP,  there  exists  a  succinct,  function-private  func¬ 
tional  signature  scheme  for  the  class  of  polynomial- size  circuits. 

We  achieve  this  via  two  steps.  We  first  give  a  construction  of  a  weaker  functional  signature  scheme, 
achieving  correctness  and  unforgeability  but  not  succinctness  or  function  privacy,  based  on  one-way  functions. 

We  then  show  how  to  use  any  weak  functional  signature  scheme  (satisfying  correctness  and  unforgeability), 
together  with  a  SNARK  system,  to  obtain  a  functional  signature  scheme  that  is  additionally  succinct  and 
function-private.  In  a  third  construction,  we  demonstrate  that  if  one  does  not  require  the  signatures  to  be 
succinct  (but  still  demand  function  privacy),  this  transformation  can  be  achieved  based  on  non- interactive 
zero-knowledge  arguments  of  knowledge  (NIZKAoKs). 

We  present  these  three  constructions  in  the  following  three  subsections. 

3.2.1  OWF-based  construction 

In  this  section  we  give  a  construction  of  a  functional  signature  scheme  from  any  standard  signature  scheme 
(i.e. ,  existentially  unforgeable  under  chosen-message  attack).  Our  constructed  functional  signature  scheme 
satisfies  the  unforgeability  property  given  in  Definition  3.1,  but  not  function  privacy  or  succinctness.  Since 
standard  signature  schemes  can  be  based  on  one-way  functions  (OWF)  [Rom90],  this  shows  that  we  can  also 
construct  functional  signature  schemes  under  the  assumption  that  OWFs  exist. 

The  main  ideas  of  the  construction  are  as  follows.  The  master  signing  and  verification  keys  (msk,  mvk) 
will  simply  be  a  standard  key  pair  for  the  underlying  signature  scheme.  As  part  of  the  signing  key  for  a 
function  /,  the  signer  receives  a  fresh  key  pair  (sk,  vk)  for  the  underlying  signature  scheme,  together  with 
a  signature  (with  respect  to  mvk)  on  the  function  /  together  with  vk.  We  can  think  of  this  signature  as  a 
certificate  authenticating  that  the  owner  of  key  vk  has  received  permission  to  sign  messages  in  the  range  of 
/.  We  describe  the  construction  below. 

Let  Sig  =  (Sig. Setup,  Sig.Sign,  Sig. Verify)  be  a  signature  scheme  that  is  existentially  unforgeable  under  chosen 
message  attack.  We  construct  a  functional  signature  scheme  FS1  =  (FS1. Setup,  FSl.KeyGen,  FSl.Sign, 

FS1. Verify)  as  follows: 
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•  FSl.Setup(lfc): 

—  Sample  a  signing  and  verification  key  pair  for  the  standard  signature  scheme  (msk,  mvk)  4—  Sig.Setup(lfe), 
and  set  the  master  signing  key  to  be  msk,  and  the  master  verification  key  to  be  mvk. 

•  FSl.KeyGen(msk,  /): 

—  choose  a  new  signing  and  verification  key  pair  for  the  underlying  signature  scheme:  (sk,  vk)  <r- 
Sig.Setup(lfc). 

—  compute  avk  4—  Sig.Sign(msk,  /|vk),  a  signature  of  /  concatenated  with  the  new  verification  key  vk. 

—  create  the  certificate  c  =  (/,  vk,  avk). 

—  output  skf  =  (sk,  c). 

•  FS1  .Sign  (/,  skf,  to): 

—  parse  skf  as  (sk,  c),  where  sk  is  a  signing  key  for  the  underlying  signature  scheme,  and  c  is  a  certificate 
as  described  in  the  KeyGen  algorithm. 

—  sign  m  using  sk:  am  4—  Sig.Sign (sk,  to). 

—  output  (/(m),cr),  where  a  =  (m.,c,am) 

•  FSl.Verify(mvk,  to*,  a): 

—  parse  cr  =  (to,  c  =  (/,  vk,  avk),crm)  and  check  that: 

1.  to*  =  /(to). 

2.  Sig.Verify(vk,  to,  am)  — >  1:  am  is  a  valid  signature  of  m  under  the  verification  key  vk. 

3.  Sig. Verify(mvk,  vk|/,  avk)  =  1:  avk  is  a  valid  signature  of  / 1 vk  under  the  verification  key  mvk. 

Theorem  3.3.  If  the  signature  scheme  Sig  is  existentially  unforgeable  under  chosen  message  attack,  FS1  as 
specified  above  satisfies  the  unforgeability  requirement  for  functional  signatures. 

Pi'oof.  Fix  a  PPT  adversary  Aps,  and  let  Q(k)  be  a  polynomial  upper  bound  on  the  number  of  queries  made 
by  Aps  to  the  oracles  Opey  and  0sign.  We  will  use  _4p$  to  construct  an  adversary  Asjg  such  that,  if  ^4pg  wins 
in  the  unforgeability  game  for  functional  signatures  with  non-negligible  probability,  then  Asjg  breaks  the 
underlying  signature  scheme,  which  is  assumed  to  be  secure  against  chosen  message  attack. 

For  Aps  to  win  the  functional  signature  unforgeability  game,  it  must  produce  a  message  signature  pair 
(to*,  cr),  where  cr  =  (to,  (/,  vk,  avk),  crm)  such  that: 

•  crm  is  a  valid  signature  of  to.  under  the  verification  key  vk. 

•  avk  is  a  valid  signature  of  /|vk  under  mvk. 

•  /(to)  =  to*. 

•  Aps  has  not  sent  a  query  of  the  form  Op ey(/,*)  to  the  signing  key  generation  oracle  for  any  /  that  has 
m*  in  its  range. 

•  Aps  hasn’t  sent  a  query  of  the  form  05;gn(/,  i.  to)  to  the  signing  oracle  for  any  /,  to  such  that  /(to)  =  to* 
There  are  two  cases  for  such  a  forgery  (to*,  cr),  where  a  =  (to,  (/,  vk,  avk),  cr m): 

•  Type  I  forgery:  The  values  (/,  vk)  are  such  that  the  concatenated  pair  / 1 vk  has  not  already  been 
signed  under  mvk  during  any  point  of  the  signing  and  key  oracle  queries  during  the  security  game. 

•  Type  II  forgery:  The  values  (/,  vk)  are  such  that  the  concatenated  pair  /|vk  has  been  signed  under 
mvk  during  the  course  of  *4fs’s  oracle  queries. 

Here  we  refer  to  all  mvk  signatures  generated  by  the  oracles  0sign,  0key  as  intermediate  steps  in  order  to 
answer  Apg’s  respective  queries. 

We  now  describe  the  constructed  signature  adversary,  Asjg.  In  the  security  game  for  the  standard  (exis¬ 
tentially  unforgeable  under  chosen  message  attack)  signature  scheme,  Asig  is  given  the  verification  key  vksjg, 
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and  access  to  a  signing  oracle  0Regsig.  He  is  considered  to  be  successful  in  producing  a  forgery  if  he  outputs 
a  valid  signature  for  a  message  that  was  not  queried  from  0Regsig. 

As;g  interacts  with  Ars,  playing  the  role  of  the  challenger  in  the  security  game  for  the  functional  signature 
scheme.  This  means  that  Asjg  must  simulate  the  0key  and  05ign  oracles.  Ars  flips  a  coin  b ,  indicating  his 
guess  for  the  type  of  forgery  Ars  will  produce,  and  places  his  challenge  accordingly. 

Case  1:  b  =  1:  Asig  guesses  that  Ars  will  produce  a  Type  I  forgery: 

First  Asjg  forwards  his  challenge  verification  key  vksjg  to  Ar$  as  the  master  verification  key  in  the  functional 
signature  security  game. 

To  simulate  the  0key,  and  05ign  oracles,  Asig  maintains  a  dictionary  indexed  by  tuples  (/,  i),  whose  entries 
are  signing  keys  for  the  functional  signature  scheme  that  have  already  been  generated.  Asig  answers  the 
queries  issued  by  Ars  as  follows: 

•  Qkey(fii)  ■ 

—  if  there  exists  an  entry  for  the  key  (/,  i)  in  the  dictionary,  then  output  the  corresponding  value, 
sk}. 

—  otherwise,  Asig  generates  a  new  key  pair  for  the  underlying  signature  scheme,  (sk,  vk)  4—  Sig.Setup(lfc), 
obtains  avk  4—  ORegsig(/|vk)  from  its  own  signing  oracle  (in  the  standard  signature  challenge),  and 
returns  skf  =  (sk,  avk)  to  Ars-  It  also  sets  entry  (/,?')  in  its  dictionary  to  skf. 

•  Osign 

—  if  there  exists  an  entry  for  the  key  (/,  z)  in  the  dictionary,  sk)-  =  ( sk,avk )•  It  then  generates  a 
signature  using  sk):  that  is,  generate  a  signature  am  4—  Sig.Sign(sk, m),  and  output  (/(m),cr), 
where  a  =  (to,  c  =  (/,  vk,  cr„fe),  <rm). 

—  otherwise,  Asjg  generates  a  new  key  pair  for  the  regular  signature  scheme,  (sk,  vk)  4—  Sig.Setup(lfe), 
obtains  avk  4—  ORegsig(/|vk)  from  its  signing  oracle,  and  sets  entry  (/,  i)  in  its  dictionary  to  skf  = 
(sk,  <ivk)-  It  then  generates  am  4—  Sig.Sign (sk,  to),  and  outputs  (/(to),ct),  where  a  =  ( to,  c  = 

Eventually,  Aps  outputs  a  signature  {in* ,  a),  where  a  =  (to,  (/,  vk,  avk),  crm).  ASig  outputs  (/ 1  vk,  avk)  as 
its  message-forgery  pair  in  the  security  game  for  the  standard  signature  scheme. 

Case  2:  b  =  0:  As;g  guesses  that  Ars  will  produce  a  Type  II  forgery: 

Asig  generates  a  new  key  pair  (msk,  mvk)  4—  Sig.Setup(lfc)  himself,  and  forwards  mvk  to  Ars-  He  also  guesses 
a  random  index  q  between  1  and  Q{k ),  denoting  which  of  Ars’s  signing  queries  he  will  embed  his  challenge 
verification  key  in.  He  keeps  track  of  the  number  of  keys  generated  so  far  in  a  variable  NUMKEYS,  which 
is  initialized  to  0.  As  before,  Asig  maintains  a  dictionary  indexed  by  tuples  (/,*),  whose  entries  are  signing 
keys  for  the  functional  signature  scheme  that  have  already  been  generated.  Asig  answers  the  queries  issued 
by  Ars  as  follows: 

•  Ok ey(fii)  ■ 

—  if  there  exists  an  entry  for  the  key  (/,  i)  in  the  dictionary,  with  value  CHALLENGE ,  abort 

—  if  there  exists  an  entry  for  the  key  (/,  i)  in  the  dictionary  and  its  value  is  not  CHALLENGE,  then 
output  the  corresponding  value,  sk). 

—  otherwise,  Asjg  generates  a  new  key  pair  for  the  regular  signature  scheme,  (sk,  vk)  4—  Sig.Setup(lfe), 
generates  avk  4—  Sign(msk,  /|vk)  himself,  and  returns  skf  =  (sk,  cr„fc)  to  Ars-  It  also  sets  entry  (/,  i) 
in  its  dictionary  to  skf. 

•  0Sigrl (/,  i,  to): 

—  if  there  exists  an  entry  for  the  key  (f,i)  in  the  dictionary,  sk)  =  (sk,c rvk),  generate  crm 
Sig.Sign  (sk,  to),  and  output  (/(to),<j),  where  a  =  (m,c  =  (/,  vk,  avk),  uTO). 

—  if  there  is  no  (/,  i)  entry  in  the  dictionary,  and  NU M KEYS  ^  q,  Asig  generates  a  new  key 
pair  for  the  regular  signature  scheme,  (sk,vk)  4—  Sig.Setup(lfc),  signs  / 1 vk  himself  with  respect 
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to  msk:  crvk  i—  Sig.Sign(msk,  /|vk),  and  sets  entry  (/,  i)  in  its  dictionary  to  skf.  It  then  generates 
a  signature  on  m  with  respect  to  the  new  key  sk:  <jm  <r-  Sig.Sign (sk,  m),  and  outputs  (/(m),cr), 
where  cr  =  (m,  c  =  (/,  vk,  avk),  <Jm).  NUAIKEYS  is  then  incremented. 

—  if  there  is  no  (/,  *)  entry  in  the  dictionary  and  NUMKEYS  =  q ,  or  if  the  (/,  i)  entry  in  the  dic¬ 
tionary  is  set  to  CHALLENGE ,  then  As;g  queries  its  oracle  for  a  signature  of  m  under  vksjg, 
<jm  4—  ORegsi  (m),  computes  avk  4—  Sig.Sign(msk, /|vks,;s),  and  outputs  (f(m),cr),  where  a  = 
(m,  c  =  (/,  vk,  <Jvk),am).  If  there  is  no  (/,  i)  entry  in  the  dictionary,  As;g  sets  it  to  CEIALLENGE. 
NUAIKEYS  is  then  incremented. 

If  Asig  does  not  abort,  Aps  will  eventually  output  a  signature  ( m*,a ),  where  a  =  (m,  (/,  vk,  avk),  am). 
Asig  outputs  (■ m,am )  as  its  forgery  in  the  security  game  for  the  standard  signature  scheme  with  respect  to 
vk5ig. 

We  will  now  argue  that  if  Ap$  forges  in  the  functional  signature  scheme  with  non-negligible  probability 
then  Asjg  is  wins  the  unforgeability  game  for  the  standard  signature  scheme  with  non-negligible  probability. 

First  note  that  as  long  as  Asjg  does  not  abort  (i.e. ,  the  bad  situation  is  not  encountered  where  the 
adversary  requests  the  secret  key  corresponding  to  the  embedded  vk5;g  challenge),  then  his  answers  to  the 
Aps’s  keygen  and  signing  queries  are  simulated  perfectly  as  in  the  real  world.  Further,  as  long  as  there  is  not 
an  abort,  the  view  of  Aps  is  independent  of  Asjg ’s  choice  of  b  and  q ,  as  they  only  determine  which  verification 
key  is  the  challenge  verification  key  vkSjS 

Now,  if  Aps  produces  a  Type  I  forgery,  then  by  definition  this  forgery  must  include  a  signature  on  a 
new  message  /|vk  that  was  not  ever  signed  under  the  master  verification  key  mvk  during  the  course  of  any 
oracle  query  response.  Thus,  if  Aps  makes  a  Type  I  forgery  and  Asjg  guessed  b  =  1  (embedding  his  challenge 
signature  key  in  the  position  of  the  mvk),  then  Apg’s  forgery  includes  a  signature  on  a  new  message  / |vk  that 
Asig  did  not  query  to  his  signature  oracle,  constituting  a  forger  in  the  unforgeability  game  for  the  standard 
signature  scheme. 

If  Aps  produces  a  Type  II  forgery,  then  the  corresponding  /|vk  was  already  signed  under  the  master 
verification  key  mvk  during  the  course  of  one  of  the  oracle  queries.  This  cannot  have  occurred  during  a  0key 
query,  as  it  would  mean  that  Aps  queried  0key  on  the  function  /,  and  producing  a  signature  with  respect  to 
this  /  is  not  a  valid  forgery  in  the  functional  signature  scheme.  It  must  then  have  been  signed  during  an 
Osign  ciuery.  Namely,  the  verification  key  vk  must  have  been  freshly  generated  during  a  query  of  the  form 
Osign  (/,  i,  m)  for  which  no  entry  under  index  (/,  i)  previously  existed,  and  then  the  pair  / 1 vk  was  signed. 

Note  that  if  Aps  produces  a  Type  II  forgery  and  Asjg  guessed  6  =  0  and  the  correct  q  to  embed  his 
challenge,  and  Asjg  does  not  abort,  the  forgery  produced  by  Aps  must  include  a  signature  of  a  new  message 
m  with  respect  to  vksjg,  for  a  rh  that  Asig  hasn’t  queried  from  his  signing  oracle,  and  therefore  Asjg  can  use 
this  forgery  as  its  own  forged  signature  in  the  unforgeability  game  for  the  standard  signature  scheme. 

We  note  that,  if  As;g  does  abort,  it  must  be  that  he  embedded  his  challenge  in  a  query  q  of  the  form 
Osign (/j i, m),  and  later  Ap$  issued  a  key  generation  query  Os[gn(f,i)-  But  this  query  can’t  be  the  signing 
query  q*  for  which  the  adversary  receives  a  signature  of  / 1 vk  under  mvk,  and  later  outputs  a  signature  of 
/(to')  for  another  m! .  Since  the  adversary  has  queried  the  0Sjgn(/,  i),  no  message  in  the  range  of  /  would  be 
considered  a  forgery  in  the  functional  signature  game.  We  can  conclude  that,  if  Asjg  aborts,  he  didn’t  guess 
q*  correctly,  so  we  don’t  need  to  consider  this  case  separately. 

Denoting  by  6,  q  the  guesses  of  Asjg,  we  have  that  success  probability  of  if  As]g  is  therefore: 
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Pr[Asjg  forges  in  signature  challenge] 

>  Pr[  6  =  1  A  Afs  outputs  Type  I  forgery  ] 

+  ^  Pr[  b  =  Q  A  q  =  q*  A  Asig  does  not  abort  A  Aps  outputs  Type  II  forgery  wrt  vk«j*] 

q*e[Q(k)] 

=  Pr[  b  =  1  A  Aps  outputs  Type  I  forgery  ] 

+  ^  Pr[  6  =  0  A  q  =  q*  A  Apg  outputs  Type  II  forgery  on  vkqi(] 

q*e[Q(k)] 

>  -  Pr[Aps  outputs  Type  I  forgery  ]  +  — —  'S~'  Pr[Aps  outputs  Type  II  forgery  on  vk9*] 

^  «e[Q(fe)] 


> 


1 


2  Q(k) 
1 

2  Q(k) 


Pr[Aps  outputs  Type  I  forgery  ]  +  ^  Pr[Aps  outputs  Type  II  forgery  on  vk9*] 

i*£[Q(/c)] 

Pr[Aps  forges] 


Thus,  if  Aps  produces  a  forgery  in  the  functional  signature  scheme  with  non- negligible  probability  1/P(k ), 
then  Asig  successfully  forges  in  the  underlying  signature  scheme  with  non-negligible  probability  1/2 P{k)Q(k). 
But,  this  cannot  be  the  case,  since  we’ve  assumed  that  Slg  is  existentially  unforgeable  against  chosen-message 
attack.  We  conclude  that  FS1  satisfies  the  unforgeability  requirement  for  functional  signatures. 

□ 


While  this  construction  is  secure  under  a  very  general  assumption  (the  existence  of  one-way  functions),  it 
does  not  provide  function  privacy  guarantees  (indeed,  the  signature  contains  a  description  of  the  relevant  pre 
image  and  function),  and  its  efficiency  can  be  greatly  improved.  The  size  of  a  signature  generated  with  key 
sky  (a  <r-  FS.Sign (skf,  to))  in  this  scheme  is  proportional  to  the  size  of  |/|  +  \m\  plus  the  size  of  a  signature  of 
the  standard  signature  scheme.  In  contrast,  we  will  next  show  how  to  use  SNARKs  to  construct  a  functional 
signature  where  the  signature  size  is  proportional  to  |/(m)|,  instead  of  |/|  +  |m|. 


3.2.2  Succinct,  Function-Private  Functional  Signatures  from  SNARKs 

We  demonstrate  how  to  combine  any  unforgeable  functional  signature  scheme  (such  as  the  OWF-based 
construction  from  the  previous  section)  together  with  a  succinct  non-interactive  argument  of  knowledge 
(SNARK)  to  obtain  a  new  functional  signature  scheme  also  satisfying  succinctness  and  function  privacy. 

Let  FS1  =  (FS1. Setup,  FSl.Sign,  FS1. Verify)  be  a  functional  signature  scheme,  satisfying  the  unforgeability 
game  as  in  Definition  3.1,  but  not  necessarily  function  privacy  or  succinctness.  Let  II  =  (Gen,  Prove,  Verify, 
S  =  (<Scrs,  <SProof),  E  =  (Ei,  E2))  be  an  efficient  adaptive  zero-knowledge  SNARK  system  for  the  following  NP 
language  L: 


L  =  {(to,  mvk)  |  3a  s.t.  FSl.Verify(mvk,  to,  a)  =  1}. 

We  show  how  to  use  FS1  and  II  to  construct  a  new  functional  signature  scheme  that  also  satisfies  function 
privacy  and  succinctness. 

•  FS2.Setup(lfe): 

—  choose  a  master  signing  key,  verification  key  pair  for  FS1:  (msk',  mvk')  ■<—  FSl.Setup(lfe). 

—  choose  a  crs  for  the  zero-knowledge  SNARK:  crs  LLGen(lfc). 

—  set  the  master  secret  key  msk  =  msk',  and  the  master  verification  key  mvk  =  (mvk',  crs). 

•  FS2.KeyGen(msk, /): 
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—  the  key  generation  algorithm  is  the  same  as  in  the  underlying  functional  signature  scheme:  skj  -c— 
FSl.KeyGen(msk,  /). 

•  FS2.Sign(/,  sk/,m): 

—  generate  a  signature  on  m  in  the  underlying  functional  signature  scheme:  a'  4—  FSl.Sign(/,  sky,  to). 

—  generate  7r  t—  II.Prove((/(rn),  mvk'),  cr' ,  crs),  a  zero-knowledge  SNARK  that  (/(rn),mvk/)  G  L , 
where  L  is  defined  as  above,  and  output  (to*  =  /(m),cr  =  7 r).  Informally,  7r  is  a  proof  that  the 
signer  knows  a  signature  of  /(to)  in  the  underlying  functional  signature  scheme. 

•  FS2.Verify(mvk,  to*,  a): 

—  output  II.  Verify  (crs,  m*,  cr):  i.e. ,  verify  that  a  is  a  valid  argument  of  knowledge  of  a  signature  of 
/(to)  in  the  underlying  functional  signature  scheme. 

Theorem  3.4.  Assume  the  existence  of  an  unforgeable  (but  not  necessarily  succinct  or  function-private) 
functional  signature  scheme  FSl  supporting  the  class  T  of  polynomial- sized  circuits,  and  II  be  an  adaptive 
zero-knowledge  SNARK  system  for  NP .  Then  there  exists  succinct,  function-private  functional  signatures 
for  T. 

Proof  of  unforgeability 

Suppose  there  exists  an  adversary  Ap$2  that  produces  a  forgery  in  the  new  functional  signature  scheme  with 
non-negligible  probability.  We  show  how  to  construct  an  adversary  Apsi  that  uses  Ap$2  to  produce  a  forgery 
in  the  underlying  functional  signature  scheme. 

Apsi  plays  the  role  of  the  challenger  in  the  security  game  for  AF$2-  He  gets  a  verification  key  mvkpsi  in 
his  own  unforgeability  game,  generates  (crs,  trap)  t—  Ei (lfc),  a  simulated  CRS  for  the  ZK-SNARK,  together 
with  a  trapdoor,  and  forwards  mvkps2  =  (mvkp$i,  crs)  to  AF$2  as  the  new  master  verification  key.  Ap$2  makes 
two  types  of  queries: 

•  OkeyFS2  (/,*),  which  Apsi  answers  (honestly)  by  forwarding  them  to  its  KeyGen  oracle,  OkeyFSi  (/,  i) 

•  OsignFS2(/i to, i),  in  which  case  Af$i  forwards  the  query  to  his  signing  oracle,  and  receives  a  signature 
ctfsi  <-  OsignFSi (/,  m,  i).  It  then  outputs  7r  t—  n.Prove((/(m),  mvkpsi),  cr,  crs)  as  his  signature  of  f(m). 

After  querying  the  oracles,  Aps2  will  output  an  alleged  forgery  in  the  functional  signature  scheme,  7r*,  on 
some  message  to*.  Apsi  runs  the  extractor  E2(crs,  trap,  (to*,  mvkpsi),  7r*)  to  recover  a  witness  w  =  cr  such 
that  FSl.  Verify  (mvkpsi,  to*,  cr)  =  1  Asjg  then  submits  cr  as  a  forgery  in  his  own  unforgeability  game. 

We  now  prove  that  if  Ap$2  forges  with  noticeable  probability,  then  Apsi  also  forges  with  noticeable 
probability  in  his  own  security  game. 

Hybrid  0.  The  real-world  functional  signature  challenge  experiment.  Namely,  the  CRS  is  generated  in  the 
honest  fashion  crs  t—  Gen(lfc),  and  the  adversary’s  signing  queries  are  answered  honestly.  Denote  the 
probability  of  the  adversary  producing  a  valid  forgery  in  the  functional  signature  FS2  scheme  within 
this  experiment  by  Forge0. 

Hybrid  1.  The  same  experiment  as  Hybrid  0,  except  the  CRS  is  generated  using  the  extraction-enabling 
procedure,  (crs, trap)  t—  Ei(lfc).  The  remainder  of  the  experiment  continues  as  before  with  respect 
to  crs.  Denote  the  probability  of  the  adversary  producing  a  valid  forgery  in  the  functional  signature 
scheme  within  this  experiment  by  Forge-^ 

Hybrid  2.  The  interaction  with  the  adversary  is  the  same  as  in  Hybrid  1.  Denote  by  M  the  set  of  all 
messages  signed  with  mskpsi  in  the  underlying  functional  signature  scheme  during  the  course  of  the 
experiment,  as  a  result  of  Afsi’s  key  and  signing  oracle  queries.  At  the  experiment  conclusion,  the 
ZK-SNARK  extraction  algorithm  is  executed  on  the  adversary’s  alleged  forgery  7r*  (on  message  to*)  in 
the  functional  signature  scheme:  i.e.,  (cr*)  <-  E2 (crs,  trap,  (?n*,  mvkFsi),  7r*). 

Denote  by  Extract2  the  probability  that  a*  is  a  valid  signature  in  the  underlying  functional  signature 
scheme  FSl  on  a  message  to*  such  that  /*  ^  M.  Note  that  this  corresponds  to  the  probability  of  AFsi 
successfully  producing  a  forgery. 
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Unforgeability  of  the  functional  signature  scheme  follows  from  the  following  sequence  of  lemmas. 

Lemma  3.5.  Forge0  <  Forge-L  +  negl(k). 

Proof.  Follows  directly  from  the  fact  that  the  CRS  values  generated  via  the  standard  algorithm  Gen  and 
those  generated  by  the  extraction-enabling  algorithm  Ei  are  statistically  close,  as  per  Definition  2.8. 

More  formally,  suppose  there  exists  a  PPT  adversary  A  for  which  Forge!  <  Forge0  —  e  for  some  e.  Then 
the  following  (not  necessarily  efficient)  adversary  Acrs  distinguishes  between  CRS  values  with  advantage  e. 
In  the  CRS  challenge,  _4crs  is  given  a  value  crs  (generated  by  either  the  standard  algorithm  or  the  extraction¬ 
enabling  algorithm).  First,  Mcrs  generates  a  key  pair  (mskpsi,  mvkFgi)  G-  FSl.Setup(lfe)  for  the  underlying 
functional  signature  scheme,  and  sends  mvkFS2  =  (mvkFsi,  crs)  to  A.  He  answers  AfS2's  queries  as  in 
Hybrid  0,  generating  signatures  and  proofs  as  required  (note  that  A  holds  the  master  secret  key  msk^s!, 
which  allows  him  to  answer  the  queries).  At  the  conclusion  of  AfS2's  query  phase,  he  outputs  an  alleged 
forgery  n*  in  the  functional  signature  scheme.  The  adversary  Acr s  tests  whether  7r*  is  indeed  a  forgery. 
We  note  that  this  verification  process  might  not  be  efficient,  since  Acr s  needs  to  test  whether  the  message 
whose  signature  Aps2  claims  to  have  forged  is  actually  not  in  the  range  of  any  of  the  functions  /  that  AfS2 
has  requested  signing  keys  for.  If  the  forgery  verifies,  Acr s  outputs  “standard  crs”;  otherwise,  he  outputs 
“extractable  crs”.  His  advantage  in  the  CRS  distinguishing  game  is  precisely  Forgej  —  Forge0,  as  desired. 
Since  the  real  and  simulated  CRS  strings  are  supposed  to  be  statistically  close,  the  distinguishing  advantage 
Forge-L  —  Forge0  has  to  be  negligible  even  for  an  inefficient  adversary.  □ 

Lemma  3.6.  Forge-L  <  Extract2  +negl(k). 

Proof.  This  holds  by  the  extraction  property  of  the  ZK-SNARK  system  (Definition  2.8). 

Namely,  if  there  exists  a  PPT  adversary  A  for  which  Forge  j  >  Extract2  +  e  for  some  e,  then  the  following 
adversary  .4 Ext  successfully  produces  a  properly- verifying  proof  7r  for  which  extraction  fails  with  probability 
e  (which  must  be  negligible  by  the  SNARK  extraction  property). 

4 Ext  receives  a  CRS  value  crs  generated  via  (crs,  trap)  <—  E^l*).  He  samples  a  key  pair  (mskps!,  mvkps!) 
<—  FSl.Setup(lfc)  for  the  underlying  functional  signature  scheme,  sends  mvkFs2  =  (mvkps!,  crs)  to  the 
adversary  A,  and  answers  all  of  M’s  key  and  signing  oracle  queries  as  in  Hybrid  1. 

Now,  let  M  the  collection  of  all  messages  /  which  were  signed  by  MExt  during  the  course  of  the  interaction 
with  A.  Suppose  that  7r*  is  a  valid  forgery  on  to*  in  the  functional  signature  scheme;  in  particular,  7r*  is  a  valid 
proof  that  (m*,mvkp’si)  G  L.  We  argue  that  if  extraction  succeeds  on  7r*  (i.eifer*  <—  E2 (crs,  trap,  (m*,  vk),  7r*) 
yields  a  valid  witness  for  (m*,vk)  G  L)),  then  it  must  be  that  the  extracted  a*  is  a  valid  signature  on  a 
message  g  f  M  in  the  underlying  functional  signature  scheme,  so  that  we  are  in  the  event  corresponding  to 
Extracts.  That  is,  we  show  Forge!  —  Extract2  is  bounded  above  by  the  probability  that  extraction  fails. 

Since  7r*  is  a  valid  forgery  in  the  functional  signature  scheme  FS2,  it  must  be  that  to*  (f  Range(g)  for 
all  key  queries  Okey(ff,*)  made  by  A,  and  that  m*  7^  g{x)  for  all  signing  queries  Oslgn(g,x,i)  made  by  A. 
Now,  if  the  extracted  tuple  ( f*,m,a *)  <—  E2(crs,  trap,  (m*,  vk),  7r*)  is  a  valid  witness  for  (m*,vk)  G  L ,  then 
from  the  definition  of  the  language  L  it  means  that  m*  =  /*(m)  and  that  a*  is  a  valid  signature  on  f*  with 
respect  to  the  master  signing  key  sk  (i.e. ,  Verify  (vk,  a*,  /*)  =  1).  Recall  that  the  set  M  consists  exactly  of 
the  functions  g  for  which  A  made  a  key  query,  and  the  collection  of  constant  functions  g'  =  g{x)  for  which 
A  make  a  signing  query  (g,x).  But  since  m*  G  Range{f*)  and  to*  ^  Range(g)  for  all  g  G  M,  it  must  be 
that  /*  ^  M,  as  desired. 

Therefore,  with  probability  at  least  Forge2  —  Extract3  =  e,  it  must  hold  that  7r*  is  a  valid  proof  but  that 
the  extraction  algorithm  fails  to  extract  a  valid  witness  from  n* .  By  the  extraction  property  of  the  SNARK 
system,  it  must  be  that  e  is  negligible. 

□ 


Lemma  3.7.  Extract2  <  negl(k). 

Proof.  This  holds  by  the  unforgeability  of  the  underlying  functional  signature  scheme  FS1,  since  Extract2 
is  precisely  the  probability  that  adversary  Apsi  constructed  above  produces  a  successful  forgery  in  the 
unforgeability  game  for  FS1.  □ 
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Proof  of  function  privacy 

We  show  that  any  adversary  Apr;v  who  succeeds  in  the  function  privacy  game  with  noticeable  advantage 
can  be  used  to  break  the  zero  knowledge  property  of  the  ZK-SNARK  scheme.  Recall  that  in  the  adaptive 
zero  knowledge  security  game,  the  adversary  is  given  a  CRS  (either  honestly  generated  or  simulated)  and 
access  to  an  oracle  who  accepts  statement-witness  pairs  (x,w)  and  responds  with  either  honestly  generated 
or  simulated  proofs  of  the  statement. 

More  specifically,  consider  the  following  two  hybrid  experiments: 

Hybrid  0.  The  real  function  privacy  challenge.  In  particular,  the  CRS  for  the  ZK-SNARK  system  is 
generated  honestly  as  crs  ■<—  II.Gen(lfe).  The  challenge  signature,  on  message  mb  for  randomly  cho¬ 
sen  b  <r-  {0, 1}  (with  respect  to  key  fb),  is  generated  by  first  generating  a  signature  on  mb  in  the 
underlying  functional  signature  scheme  a  t—  Sig. Sign (sk/6,  mj)  and  then  honestly  generating  a  proof 
7 r  <—  II.Prove((/f,(m{,),  mvk),  a,  crs). 

Hybrid  1.  Similar  to  Hybrid  0,  except  that  the  SNARK  appearing  in  the  challenge  signature  is  replaced  by  a 
simulated  argument .  Namely,  the  CRS  is  generated  using  the  simulator  algorithm  (crs,  trap)  t—  <Scrs(lfe). 
And  the  challenge  signature  is  generated  by  sampling  a  random  bit  b  t—  {0, 1}  and  ignoring  it,  instead 
using  the  simulator  7r  t—  5Proof (crs,  trap,  (m',  mvk)),  where  m!  =  fo(m0)  =  fi{mi). 

Denote  by  wirto,wini  the  advantage  of  the  adversary  Aprjv  in  guessing  the  bit  b  in  Hybrid  0  and  1, 
respectively.  Function  privacy  of  FS2  follows  from  the  following  two  claims. 

Claim  3.8.  wini  >  wino  —  negl(fc). 

Proof.  Follows  directly  from  the  adaptive  zero  knowledge  property  of  the  ZK-SNARK  system.  More  explic¬ 
itly,  consider  the  following  adversary  Azk: 

1.  Azk  receives  a  CRS  value  crs  from  the  adaptive  zero  knowledge  challenger  (either  honestly  generated  or 
simulated) .  In  addition,  he  generates  a  master  key  pair  for  the  underlying  functional  signature  scheme: 
(msk,  mvk)  FSl.Setup(lfe).  Azk  takes  mvk?  =  (mvk,  crs)  and  sends  the  key  pair  (mvk',  msk)  to  the 
function  privacy  adversary  Aprjv. 

2.  Aprjv  responds  (adaptively)  with  function  queries  /o,/i  and  a  message  pair  m.Q,m\  with  /o(nzo)  = 
/i(?rii).  For  each  function  query  fb,  Azk  generates  a  corresponding  key  sk/b  t—  FSl.KeyGen(msk,  fb) 
and  sends  sk/b  to  Aprjv. 

3.  Azk  prepares  the  function  privacy  challenge  signature  as  follows.  First,  he  chooses  a  random  bit 
b  <r-  {0,1},  and  uses  (fb,m.b,skfb)  to  generate  a  signature  on  fb{mb)  in  the  underlying  functional 
signature  scheme:  er  t—  FSl.Sign(sk/b,  mj).  He  then  submits  the  query  {(fb{mb),  mvk),  a)  to  the  proof 
oracle  in  his  own  ZK  challenge.  (Recall  that  a  is  a  valid  witness  for  (/f,(m{,),  mvk)  £  L).  Denote  the 
oracle  response  by  7r,  which  is  either  honestly  generated  or  simulated. 

4.  Azk  sends  the  signature  7r  to  Aprjv,  who  responds  with  a  guessed  bit  b'  in  the  function  privacy  game.  If 
b'  =  b ,  then  Azk  outputs  “real.”  Otherwise,  if  b'  yf  b,  then  Azk  outputs  “simulated.” 

Note  that  if  Azk  has  access  to  the  Real  Proof  experiment  (Experiment  Exp_4(/c)  in  Definition  2.9),  then 
Azk  perfectly  simulates  Hybrid  0,  whereas  if  he  has  access  to  the  Simulated  Proof  experiment  (Experiment 
Exp^(fc)  in  Definition  2.9),  then  Azk  perfectly  simulates  Hybrid  1.  Thus,  Azk’s  advantage  in  the  adaptive 
zero  knowledge  challenge  is  equal  to  win0  —  wini,  which  by  the  ZK  security  of  the  ZK-SNARK  scheme  must 
hence  be  negligible. 

□ 


Claim  3.9.  wini  <  negl(fc). 

Proof.  Note  that  the  view  of  Aprjv  in  Hybrid  1  is  in  fact  independent  of  the  selected  bit  b.  Indeed,  the  challenge 
signature  is  generated  with  respect  only  to  the  value  m!  =  fo{m-o)  =  /i(rni),  and  not  any  particular  witness. 
Thus,  information  theoretically,  even  a  computationally  unbounded  adversary  could  not  correctly  guess  the 
bit  b  with  noticeable  advantage.  □ 
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Succinctness 

The  succinctness  of  our  signature  scheme  follows  directly  from  the  succinctness  property  of  the  SNARK 
system.  Namely,  the  size  of  a  functional  signature  produced  by  FS2.Sign(/,  sky,  m)  is  exactly  the  proof 
length  of  a  SNARK  for  the  language  L.  There  exists  a  polynomial  q  such  that  the  runtime  R  of  the 
associated  relation  is  bounded  by  q(\f(m)\  +  |mvk|  +  |cr|),  where  a  is  a  signature  in  the  underlaying,  non- 
succinct  functional  signature  scheme. 

By  Definition  2.7,  there  exists  a  polynomial  p,  such  that  the  corresponding  proof  length  is  bounded  by 
p{k  +  polylog(\f(m)\  +  |mvk|  +  |<j|)).  The  size  of  the  signature  |cr|  =  poly(\f\  +  \m\  +  k).  We  may  assume 
that  |/|,  and  |m|  are  bounded  by  2fc,  and  therefore  the  size  of  a  signature  in  the  SNARK-based  construction 
is  polynomial  in  k,  and  independent  of  |/|,  |m|,  (and  even  |/(m)|). 

3.2.3  NIZK-based  construction 

If  one  wishes  to  avoid  SNARK-type  assumptions,  one  can  obtain  a  functional  signature  scheme  satisfying 
both  unforgeability  and  function  privacy  (but  not  succinctness)  under  the  more  general  assumption  of  stan¬ 
dard  non- interactive  zero- knowledge  arguments  of  knowledge  (NIZKAoK).  This  can  be  done  by  essentially 
replacing  the  ZK-SNARKs  in  the  construction  of  the  previous  section  with  NIZKAoKs.  We  remark  that  our 
construction  hides  the  function  /,  but  it  reveals  the  size  of  a  circuit  computing  /.3 

Let  (FS3. Setup,  FS3. Keygen,  FS3.Sign,  FS3. Verify)  be  a  functional  signature  scheme  which  is  identical  to 
our  previous  construction  FS2,  except  that  we  use  a  NIZKAoK  IT,  instead  of  the  zero-knowledge  SNARK 
system  II. 

Theorem  3.10.  If  (Sig. Setup.  Sig.Sign.  Sig. Verify,)  is  an  existentially  unforgeable  signature  scheme,  and  IT 
is  a  NIZKAoK,  our  new  functional  signature  construction  (FS3. Setup,  FS3. Keygen,  FS3.Sign,  FS3. Verify,) 
satisfies  both  unforgeability  and  function  privacy. 

We  can  use  the  proof  from  the  previous  section,  since  a  zero-knowledge  SNARK  and  a  NIZK  satisfy  the 
same  adaptive  zero-kowledge  and  extractability  properties  that  are  used  in  the  proof.  The  only  difference 
is  that  a  SNARK  has  a  more  efficient  verification  algorithm,  and  shorter  proofs,  while  a  NIZK  can  be 
constructed  under  more  general  assumptions. 


4  Applications  of  Functional  Signatures 

In  this  section  we  discuss  applications  of  functional  signatures  to  other  cryptographic  problems,  such  as 
constructing  delegation  schemes  and  succinct  non-interactive  arguments. 

4.1  SNARGs  from  Functional  Signatures 

Recall  that  in  a  SNARG  protocol  for  a  language  L,  there  is  a  verifier  V,  and  a  prover  P  who  wishes  to 
convince  the  verifier  that  an  input  x  is  in  L.  To  achieve  succinctness,  proofs  produced  by  the  prover  must 
be  sublinear  in  the  size  of  the  input  plus  the  size  of  the  witness. 

We  show  how  to  use  a  functional  signature  scheme  supporting  keys  for  functions  /  describable  as 
polynomial-size  circuits,  and  which  has  short  signatures  (i.e  of  size  r(k)  ■  (|/(m)|  +  Iml)0^1)  for  a  poly¬ 
nomial  r(-))  to  construct  a  SNARG  scheme  with  preprocessing  for  any  language  L  £  NP  with  proof  size 
bounded  by  r(k)  ■  (|u>|  +  |ic|)°^1') ,  where  w  is  the  witness  and  x  is  the  instance.  We  note  that  this  is  the  proof 
size  used  in  the  lower  bound  of  [GW11]. 

Let  L  be  an  NP  complete  language,  and  R  the  corresponding  relation.  The  main  idea  in  the  construction 
is  for  the  verifier  (or  CRS  setup)  to  give  out  a  single  signing  key  for  a  function  whose  range  consists  of 
exactly  those  strings  that  are  in  L.  Note  that  this  can  be  efficiently  described  by  use  of  the  relation  R  (where 
the  function  also  takes  as  input  a  witness).  Then,  with  sky  for  this  appropriate  function  /,  the  prover  will 

'■’This  is  not  a  concern  in  the  SNARK-base  construction,  since  the  size  of  the  signature  was  independent  of  the  function  size. 
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be  able  to  sign  only  those  messages  that  are  in  the  language  L,  and  hence  can  use  a  signature  on  a;  as  a 
convincing  proof  that  x  G  L.  The  resulting  proof  is  succinct  and  publicly  verifiable. 

More  explicitly,  let  FS  =  (FS. Setup,  FS.KeyGen,  FS. Sign.  FS. Verify)  be  a  succinct  functional  signature 
scheme  (as  in  Definition  3.1)  supporting  the  class  T  of  polynomial-size  circuits.  We  construct  the  desired 
SNARG  system  n  =  (n.Gen,  n. Prove,  n. Verify)  for  NP  language  L  with  relation  R,  as  follows: 

•  n.Gen(lfc): 

—  run  the  setup  for  the  functional  signature  scheme,  and  get  (mvk,  msk)  FS.Setup(lfe) 

—  generate  a  signing  key  sky  4—  FS.KeyGen(msk, /)  where  f  is  the  following  function: 

jx  if  R(x,w)  =  1 
j(x\w)  :=  < 

I  _L  otherwise 

—  output  crs  =  (mvk,  sky) 

•  n.Prove(x,  w,  crs): 

—  output  FS.Sign(/,  sky,  x\w) 

•  n.Verify(crs,  x,  tt): 

—  output  FS.Verify(mvk,  x,  tt) 


Theorem  4.1.  If  FS  is  a  functional  signature  scheme  supporting  the  class  T  of  polynomial- sized  circuits, 
then  n  is  a  succinct  non-interactive  argument  (SNARG)  for  NP  language  L. 

Proof.  We  address  the  correctness,  soundness,  and  succinctness  of  the  scheme. 

Correctness 

The  correctness  property  of  the  SNARG  scheme  follows  immediately  from  correctness  property  of  the  func¬ 
tional  signature  scheme.  Namely,  let  R  be  the  relation  corresponding  to  the  language  L.  Then 
V(x,w)  €  R,  Vers  =  (mvk,  sky),  where  (msk.  mvk)  4—  FS.Setup(lfc),  and  sky  4—  FS.KeyGen(msk,  /),  and 
V7T  =  <t,  where  (x,  a)  4—  FS.Sign(/,  sky,  (x,  w)), 

n.  Verify  (crs,  x,  tt)  =  FS.Verify(mvk,  x,  a)  — ►  1. 


Soundness 

The  soundness  of  the  proof  system  follows  from  the  unforgeability  property  of  the  signature  scheme:  since 
the  prover  is  not  given  keys  for  any  function  except  /,  he  can  only  sign  messages  x  that  are  in  the  range  of 
/,  and  therefore  instances  in  the  language  L. 

Suppose  there  exists  a  PPT  adversary  Adv  for  which  Pr[crs  4—  n.Gen(lfe);  (x,  tt)  4—  Adv(crs)  :  x  £  L  A 
IT' Verify  (crs,  x,  tt)  =  1]  =  e(|x|),  for  a  non-negligible  function  e(-). 

Then  we  can  construct  an  adversary  Ap$  who  breaks  the  unforgeability  of  the  underlying  functional  signature 
scheme.  Ap$  gives  crs  =  (mvk,  sky)  to  Adv,  where  mvk  is  his  challenge  verification  key,  and  sky  is  the  signing 
key  for  the  function  /  defined  above,  which  he  gets  from  his  key  generation  oracle. 

Adv  outputs  (x,  7 r),  and  Afs  uses  them  as  his  forgery  in  the  functional  signature  game.  If  x  ^  L,  x  must 
not  be  in  the  range  of  L ,  and  therefore  (x,  tt)  is  a  valid  forgery.  So  Apg  wins  the  unforgeability  game  with 
probability  e(|x|),  which  we  have  assumed  is  non-negligible. 

Succinctness 

The  size  of  a  proof  is  equal  to  the  size  of  a  signature  in  the  functional  signature  scheme,  which  by  assumption 
is  r(k )  •  (|/(777,) |  +  Iml)0^1)  =  r(fc)  •  (|x|  +  |tz7| )°^1^>  for  a  polynomial  r(-).  □ 
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Remark  4.2  (Functional  PRFs  as  Functional  MACs).  Note  that  functional  pseudorandom  functions  directly 
imply  a  notion  of  functional  message  authentication  codes  (MACs),  where  the  master  PRF  seed  s  serves 
as  the  (shared)  master  secret  MAC  key,  and  a  functional  PRF  subkey  sk /  enables  one  to  both  MAC  and 
verify  messages  /(m).  Using  the  transformation  above  with  such  a  functional  MAC  in  the  place  of  functional 
signatures  yields  a  privately  verifiable  SNARG  system. 

Remark  4.3  (Lower  bound  of  [GW11]).  Gentry  and  Wichs  showed  in  [GW11]  that  SNARG  schemes  for 
NP  with  proof  size  r(k)  ■  (|cc|  +  |te|)°^  for  polynomial  r(-)  cannot  be  obtained  using  black-box  reductions  to 
falsifiable  assumptions  [Nao03].  Therefore,  combined  with  Theorem  4.1,  it  follows  that  in  order  to  obtain  a 
functional  signature  scheme  with  signature  size  r(k )  •  (|/(?n)|  +  |?n|)°(1')  we  must  either  rely  on  non-falsifiable 
assumptions  (as  in  our  SNARK-based  construction)  or  make  use  of  non  black-box  techniques. 

4.2  Connection  between  functional  signatures  and  delegation 

Recall  that  a  delegation  scheme  allows  a  client  to  outsource  the  evaluation  of  a  function  /  to  a  server, 
while  allowing  the  client  to  verify  the  correctness  of  the  computation.  The  verification  process  should  be 
more  efficient  than  computing  the  function.  See  Definition  2.12  for  the  required  correctness  and  security 
properties. 

Given  a  functional  signature  scheme  with  with  signature  size  5(k),  and  verification  time  t(k)  (which  we 
assume  is  independent  of  the  of  the  size  of  a  function  /  used  in  the  signing  process),  we  can  get  a  delegation 
scheme  in  the  preprocessing  model  with  proof  size  S(k)  and  verification  time  t(k).  Here  k  is  the  security 
parameter. 

Let  (FS. Setup,  FS. Prove,  FS.Sign,  FS. Verify)  be  a  functional  signature  scheme  supporting  the  class  T  of 
polynomial-sized  circuits.  We  construct  a  delegation  scheme  (KeyGen,  Encode,  Compute,  Verify)  as  follows: 

.  KeyGen(lfe,  /): 

—  run  the  setup  for  the  functional  signature  scheme  and  generate  (mvm,  msk)  y-  FS.Setup(lfe). 

—  define  the  function  f'(x)  :=  (x,  f(x)),  and  generate  a  signing  key  for  /':  sk //  FS.KeyGen(msk,  /'). 

—  output  enc  =  _L,  evk  =  sk/,  vk  =  mvk. 

•  Encode(enc,  x)  =  x  :  no  processing  needs  to  be  done  on  the  input. 

•  Compute(evk,  ax): 

—  let  sk p  =  evk,  x  =  ax 

—  generate  a  signature  of  ( x,f(x ))  using  key  sk//:  i.e.,  a  -e-  FS.Sign(sk/q  /',  x) 

—  output  (f(x),n  =  a) 

•  Verify(vk,x,y,7Tj/): 

—  output  FS.Verify(vk,  y,  ttv) 

Theorem  4.4.  If  FS  is  a  functional  signature  scheme  supporting  the  class  T  of  polynomial- sized  circuits, 
then  (KeyGen,  Encode,  Compute,  Verify)  is  a  delegation  scheme. 

Correctness 

The  correctness  of  the  delegation  scheme  follows  from  the  correctness  of  the  functional  signature  scheme. 

Authenticity 

By  the  unforgeability  property  of  the  functional  signature  scheme,  any  PPT  server  will  only  be  able  to 
produce  a  signature  of  ( x,y )  that  is  in  the  range  of  /':  that  is,  if  y  =  f(x).  Thus  the  server  will  not  be  able 
to  sign  a  pair  ( x,y )  with  non-negligible  probability,  unless  y  =  f{x). 

Efficiency 

The  runtime  of  the  verification  algorithm  of  the  delegation  scheme  is  the  runtime  of  the  verification  algorithm 
for  the  signature  scheme,  t(k).  The  poof  size  is  equal  to  the  size  of  a  signature  in  the  functional  signature 
scheme,  S(k). 
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5  Functional  Pseudorandom  Functions 


In  this  section  we  present  a  formal  definition  of  functional  pseudorandom  functions  (F-PRF),  pseudorandom 
functions  with  selective  access  (PRF-SA),  and  hierarchical  functional  pseudorandom  functions.  We  present 
a  construction  of  a  functional  pseudorandom  function  family  supporting  the  class  of  prefix-fixing  functions 
based  on  one-way  functions,  making  use  of  the  Goldreich-Goldwasser-Micali  (GGM)  tree-based  PRF  con¬ 
struction  [GGM86].  Our  construction  directly  yields  a  PRF  with  selective  access,  and  additionally  supports 
hierarchical  key  generation. 


5.1  Definition  of  Functional  PRF 

In  a  standard  pseudorandom  function  family,  the  ability  to  evaluate  the  chosen  function  is  all-or-nothing:  a 
party  who  holds  the  secret  seed  s  can  compute  Fs(x)  on  all  inputs  x ,  whereas  a  party  without  knowledge 
of  s  cannot  distinguish  evaluations  Fs(x)  on  requested  inputs  x  from  random.  We  propose  the  notion  of  a 
functional  pseudorandom  function  (F-PRF)  family,  which  partly  fills  this  gap  between  evaluation  powers. 
The  idea  is  that,  in  addition  to  a  master  secret  key  that  can  be  used  to  evaluate  the  pseudorandom  function 
F  on  any  point  in  the  domain,  there  are  additional  secret  keys  per  function  /,  which  allow  one  to  evaluate 
F  on  y  for  any  y  for  which  there  exists  an  x  such  that  f(x)  =  y  (i.e. ,  y  is  in  the  range  of  /). 

Definition  5.1  (Functional  PRF).  We  say  that  a  PRF  family  F  =  {Fs  :  D  — >  R}scs  is  a  functional 
pseudorandom  function  (F-PRF)  if  there  exist  additional  algorithms 

KeyGen  (s,  /)  :  On  input  a  seed  s  £  S  and  function  description  /  :  A  — »•  D  from  some  domain  A  to  D,  the 
algorithm  KeyGen  outputs  a  key  sky. 

Eval(sky  /,  x)  :  On  input  key  sky,  function  /  :  A  — >  D,  and  input  x  £  A,  then  Eval  outputs  the  PRF 
evaluation  Fs(f(x)). 

which  satisfy  the  following  properties: 

•  Correctness:  For  every  (efficiently  computable)  function  /  :  A  — >  D,  Mx  £  A,  it  holds  that 
Vs  4-  S,  Vsky  4-  KeyGen(s,  /),  Eval(sky,  /,  x)  =  Fs(f(x)). 


•  Pseudorandomness:  Given  a  set  of  keys  sky  . . .  sky  for  functions  f\  ■  ■  ■  fi-  the  evaluation  of  Fs(y) 
should  remain  pseudorandom  on  all  inputs  y  that  are  not  in  the  range  of  any  of  the  functions  fi ...  fi- 
That  is,  for  any  PPT  adversary  A,  the  advantage  of  A  in  distinguishing  between  the  following  two 
experiments  is  negligible  (for  any  polynomial  l  =  1(h)): 


Experiment  Rand 
Key  query  Phase 
(pp,s)  4-  Gen(lfe) 
fi  Vl(pp) 
sky  4-  KeyGen (s,/i) 


Experiment  PRand 
Key  query  Phase 
(pp,s)  <-  Gen(lfc) 
fi  <-  Vl(pp) 
sky  «-  KeyGen(s,/i) 


fi  <-  A( pp,  /i,  sfcy , . . . ,  //— i ,  skfl_1 ) 
sk  ft  4-  KeyGen  (s,fi) 

Challenge  Phase 
H  4—  F d^>r  a  random  function 

b  4-  A0*’”  (  )(/i,  sk/i sky ) 


fl  4-  A(  pp,  /l,  sfcy ,  .  .  .  ,  //_!,  sfcy_J 
skfi  4-  KeyGen  (s,fi) 

Challenge  Phase 


b  t-  VlFs(')(/i,  sky  ,  .  .  .  ,  /;,  sky  ) 


where  (y)  := 


Fs(y) 

H(v) 


if  3*  €  [Z]  and  x  s.t.  fi(x)  =  y 
otherwise 
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f  f.l 

Note  that,  as  defined,  the  oracle  Oxs  ff  (y)  need  not  be  efficiently  computable.  This  inefficiency  stems 
both  from  sampling  a  truly  random  function  H ,  and  from  testing  whether  the  adversary’s  evaluation  queries 
y  are  contained  within  the  range  of  one  of  his  previously  queried  functions  /,.  However,  within  particular 
applications,  the  system  can  be  set  up  so  that  this  oracle  is  efficiently  simulatable:  For  example,  evaluations 
of  a  truly  random  function  can  be  simulated  by  choosing  each  queried  evaluation  one  at  a  time;  Further,  the 
range  of  the  relevant  functions  /,;  may  be  efficiently  testable  given  trapdoor  information  (e.g.,  determining 
the  range  of  /  :  r  H >  Enc(pk,  0;  r)  for  a  public-key  encryption  scheme  is  infeasible  given  only  pk  but  efficiently 
testable  given  the  secret  key). 

We  also  consider  a  weaker  security  definition,  where  the  adversary  has  to  reveal  which  functions  he 
will  request  keys  for  before  seeing  the  public  parameters  or  any  of  the  keys.  We  refer  to  this  as  selective 
pseudorandomness. 

Definition  5.2  (Selectively  Secure  F-PRF).  We  say  a  PRF  family  is  a  selectively  secure  functional  pseu¬ 
dorandom  function  if  the  algorithms  KeyGen,  Eval  satisfy  the  correctness  property  above,  and  the  following 
selective  pseudorandomness  property. 

•  Selective  Pseudorandomness:  For  any  PPT  adversary  A.  the  advantage  of  A  in  distinguishing 
between  the  following  two  experiments  is  negligible: 

Experiment  Sel-Rand 
Key  query  Phase 
/l)  •  •  •  >  fi  t—  A 
(pp,s)  <-  Gen(lfe) 
sk/i  . . .  sky,  «-  KeyGen(s,  /i , . . .  /;) 

Challenge  Phase 
H  £-  F d^>r  a  random  function 

b  £-  A°°'”  {'\f1,skfl,...fl,skfl) 

where  O 

A  special  case  of  functional  PRFs  are  when  access  control  is  to  be  determined  by  predicates.  (Indeed, 
fitting  within  the  F-PRF  framework,  one  can  emulate  predicate  policies  by  considering  the  corresponding 
functions  fp{x)  =  x  if  P(x)  =  1  and  =  _L  if  P(x)  =  0).  For  completeness,  we  now  present  the  corresponding 
formal  definition,  which  we  refer  to  as  PRFs  with  selective  access. 


<'•>(„)  :=  /F-W 


t,H 


1  H(y) 


if  3i  £  [/]  and  x  s.  t.  fi(x)  =  y 
otherwise 


Experiment  Sel-PRand 

Key  query  Phase 

/l)  •  •  •  >  fi  A 

(pp,s)  <-  Gen(lfc) 

sky,  . . .  sky,  «-  KeyGen (s,  /i, . . .  fi) 

Challenge  Phase 

b  t—  AFs  (/l ,  sky,  ,.../;,  sky,  ) 


Definition  5.3  (PRF  with  Selective  Access).  We  say  that  a  PRF  family  T  =  {id,  :  D  — >  R}ses  is  a 
pseudorandom  function  family  with  selective  access  (PRF-SA)  for  a  class  of  predicates  V  on  D  if  there  exist 
additional  efficient  algorithms 

KeyGen(s,P)  :  On  input  a  seed  s  €  S  and  predicate  P  €  V,  KeyGen  outputs  a  key  skp. 

Eval(skp,  P,  x)  :  On  input  key  skp  and  input  x  £  D,  if  it  holds  that  P(x)  =  1  then  Eval  outputs  the  PRF 
evaluation  Fs(x). 

which  satisfy  the  following  properties: 

•  Correctness:  For  each  predicate  P  £  V ,  Vx  £  D  s.t.  P(x)  =  1,  it  holds  that 

Vs  £-  S,  Vskp  KeyGen(s,  P),  Eval(skp,  P,  x )  =  Fs(x) 


•  Pseudorandomness:  Given  a  set  of  keys  skp,  ...  skp,  for  predicate  Pi ...  Pp  the  evaluation  of  Fs(x) 
should  remain  pseudorandom  on  all  inputs  x  for  which  Pl (a;)  =  0A-  •  -AP;(x)  =  0.  That  is,  for  any  PPT 
adversary  A,  the  advantage  of  A  in  distinguishing  between  the  following  two  experiments  is  negligible: 
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Experiment  Rand 
Query  Phase 
(pp,s)  G-  Gen(lfe) 

Pi  G-  -4.(pp) 

skpj  G-  KeyGen  (s,  Pi) 


Experiment  PRand 
Query  Phase 
(pp,s)  G-  Gen(lfc) 

Pi  g-  -4(pp) 

skpt  G-  KeyGen(s,Pi) 


Pi  G-  -4(pp,  Pi,  skPl  . . .  Pi-!,  skp^J 
skp  g-  KeyGen(s,  P;) 

Challenge  Phase 
H  G-  F p_j.p  a  random  function 
b  G-  A0°’H('  \P1,skPl,. . .  P;,  skPi) 


Pi  G-  ^4(pp,  Pi,skPl  . . .  Pi-!,  skp^) 
skp,  G-  KeyGen(s,Pi) 

Challenge  Phase 


b  <—  AFs('\Pi,  skpx , Pp  skPl) 


where  0^H(x) 


Fs(x)  if  3 i  G  [l],Pi(x)  =  1 
H(x)  otherwise 


Finally,  we  consider  hierarchical  F-PRFs,  where  a  party  holding  key  sky  for  function  /  :  B  — >  D  can 
generate  a  subsidiary  key  skyog  for  a  second  function  g  :  A  B. 


Definition  5.4  (Hierarchical  F-PRF).  We  say  that  an  F-PRF  family  ({P„}s,  KeyGen,  Eval)  is  hierarchical  if 
the  algorithm  KeyGen  is  replaced  by  a  more  general  algorithm: 

SubkeyGen(sky,  g):  On  input  a  functional  secret  key  sky  for  function  /  :  B  — >  C  (where  the  master  secret 
key  is  considered  to  be  ski  for  the  identity  function  f(x)  =  a:),  and  function  description  g  :  A  — >  B  for 
some  domain  A,  SubkeyGen  outputs  a  secret  subkey  skyog  for  the  composition  fog. 

satisfying  the  following  properties: 

•  Correctness:  Any  key  skg  generated  via  a  sequence  of  SubkeyGen  executions  will  correctly  evaluate 
Fs(f(x))  on  each  value  y  for  which  they  know  a  preimage  x  with  g{x)  =  y.  Formally,  for  every  sequence 
of  (efficiently  computable)  functions  with  — ►  A,_ i,  \/y  G  A0  s.t.  3a:  G  Ae  for  which 

fio---oft(x)  =  y,  it  holds  that 


Vski  <—  S,  Vsk yl0...0y.  SubkeyGen(skyl0...0y._1,  /i)  for  i  =  0, . . .  ,£, 

Eval(skyl0...0/f ,  (/i  o  •  •  •  o  f(),x)  =  Fskl(y). 

•  Pseudorandomness:  The  pseudorandomness  property  of  Definition  5.1  holds,  with  the  slight  modifi¬ 
cation  that  the  adversary  may  adaptively  make  queries  of  the  following  kind,  corresponding  to  receiving 
subkeys  skg  generated  from  unknown  functional  keys  sky.  The  query  phase  begins  with  a  master  secret 
key  s  G-  S  being  sampled  and  assigned  identity  id  =  1.  Loosely,  GenerateKey  generates  a  new  subkey 
of  an  existing  (possibly  unknown)  key  indexed  by  id,  and  keeps  the  resulting  key  hidden.  Reveal  Key 
simply  reveals  the  generated  key  indexed  by  id. 

GenerateKey(id,  g):  If  no  key  exists  with  identity  id  then  output  _L  and  terminate;  otherwise  denote 
this  key  by  sky.  The  challenger  generates  a  g-subkey  from  sky  as  skyog  <—  SubkeyGen(sky,  g),  and 
assigns  this  key  a  unique  identity  id'.  The  new  value  id'  is  output,  and  the  resulting  key  skyog  is 
kept  secret. 

RevealKey(?’<i):  If  no  key  exists  with  identity  id  then  output  _L  and  terminate;  otherwise  output  the 
corresponding  key  sky. 

In  the  challenge  phase,  the  adversary’s  evaluation  queries  are  answered  either  (1)  consistently  pseudo¬ 
random,  or  (2)  pseudorandom  for  all  inputs  y  for  which  the  adversary  was  given  a  key  sky  in  a  Reveal  Key 
query  with  y  G  Range(f),  and  random  for  all  other  inputs. 
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5.2  Construction  Based  on  OWF 


We  now  construct  a  functional  pseudorandom  function  family  F3  :  {0, 1}"  —>  {0, 1}"  supporting  the 
class  of  prefix-fixing  functions,  based  on  the  Goldreich-Goldwasser-Micali  (GGM)  tree-based  PRF  construc¬ 
tion  [GGM86].  More  precisely,  our  construction  supports  the  function  class 


=  {/*(*):  {0,1}"  ^{0,1}" 


z£{  0,l}m  for  m<n}, 


where  fz(x)  := 


t 


if  (xi  =  Zi)  A  •  •  •  A  (xm 
otherwise 


Recall  that  the  GGM  construction  makes  use  of  a  length-doubling  pseudorandom  generator  G  :  {0,  l}fc  — > 
{0,  l}2k  (which  can  be  constructed  from  any  one-way  function).  Denoting  the  two  halves  of  the  output  of  G 
as  G(y)  =  G0(y)Gi(y),  the  PRF  with  seed  s  is  defined  as  Fs(y)  =  Gyk(-  ■  ■  Gm(Gyi  (s))). 

We  show  that  we  can  obtain  a  functional  PRF  for  Fpre  by  adding  the  following  two  algorithms  on  top  of 
the  GGM  PRF  construction.  Intuitively,  in  these  algorithms  the  functional  secret  key  skfz  corresponding  to 
a  queried  function  fz  £  Fpre  will  be  the  partial  evaluation  of  the  GGM  prefix  corresponding  to  prefix  z:  i.e. , 
the  label  of  the  node  corresponding  to  node  z  in  the  GGM  evaluation  tree.  Given  this  partial  evaluation,  a 
party  will  be  able  to  compute  the  completion  for  any  input  x  which  has  2  as  a  prefix.  However,  as  we  will 
argue,  the  evaluation  on  all  other  inputs  will  remain  pseudorandom. 


KeyGen(s, /-)  :  output  GZm(-  ■■  GZ2(GZl(s))),  where  m  =  \z\ 

Eval(sk f.,y)  :  output  \Gy^' ' '  Gv^GVm^^h)))  if  Vi  =  *i  A  •  •  •  A  ym  =  zm 
I X  otherwise 

We  first  prove  that  this  construction  yields  an  F-PRF  with  selective  security  (i.e.,  when  the  adversary’s 
key  queries  are  specified  a  priori).  We  then  present  a  sequence  of  corollaries  for  achieving  full  security, 
PRFs  with  selective  access,  and  hierarchical  F-PRFs.  We  also  focus  on  the  specific  application  of  punctured 
PRFs  [SW13]. 


Theorem  5.5.  Based  on  the  existence  of  one-way  functions,  the  GGM  pseudorandom  function  family  to¬ 
gether  with  algorithms  KeyGen  and  Eval  defined  as  above,  is  a  selectively  secure  functional  PRF  for  the  class 
of  functions  Fpre,  as  per  Definition  5.2. 

Proof.  We  will  reduce  the  pseudorandom  property  of  our  functional  PRF  scheme  to  the  security  of  the 
underlying  PRG.  Recall  that  (as  per  Definition  5.2),  the  functional  PRF  requires  indistinguishability  of  ex¬ 
periments  Sel-PRand  and  Sel-Rand,  in  which  the  adversary  makes  key  queries  (which  are  answered  honestly), 
and  then  makes  evaluation  queries,  which  are  either  answered  consistently  (PRand)  or  randomly  (Rand).  At 
a  high  level,  we  will  show  that  both  Experiment  Sel-Rand  and  Experiment  Sel-PRand  are  indistinguishable 
from  a  third  experiment  where,  in  the  query  phase,  the  adversary’s  queries  are  answered  randomly  (except 
when  one  query  is  a  prefix  of  another,  in  which  case  we  need  to  ensure  consistency),  and  in  the  challenge 
phase  the  adversary’s  queries  are  answered  randomly.  Both  claims  will  be  proved  using  a  hybrid  argument 
similar  to  the  proof  of  the  original  GGM  construction. 

Let  /) , ...  f i  €  Fp re  be  the  functions  queried  by  the  adversary.  Let  Pi, ...  P/  be  the  corresponding  prefixes. 
We  consider  the  following  experiments: 

Exp  1.  Experiment  Sel-PRand.  In  the  key  query  phase,  the  key  for  each  function  f,  corresponding  to 
prefix  Pi  is  obtained  (honestly)  by  following  the  corresponding  path  in  the  GGM  tree.  In  the  challenge 
phase,  the  adversary’s  evaluation  queries  are  answered  (honestly)  with  the  corresponding  pseudorandom 
values.  We  denote  the  probability  that  an  adversary  Adv  outputs  1  in  this  experiment  by  output ^tpi- 

Exp  2.  Keys  for  the  queried  functions  f\, ... ,  fi  £  Ppre  corresponding  to  prefixes  Pi  are  computed  randomly, 
up  to  consistency  among  queried  sub-prefixes.  This  takes  place  as  follows  (recall  that  all  queries  are 
made  up  front): 
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•  for  each  /, ,  if  no  prefix  of  Pt  is  also  queried  by  the  adversary  in  his  keygen  queries,  then  skfi  is 
assigned  a  random  value. 

•  otherwise,  let  Pj  be  the  shortest  such  prefix  that  is  also  queried  (so  that  skf.  has  already  been 
defined  by  the  previous  case).  Then  skf.  is  computed  by  honestly  applying  to  skf  the  sequence  of 
PRG’s  determined  by  the  bits  of  Pi  following  Pj. 

In  the  challenge  phase,  the  adversary’s  evaluation  queries  are  answered  with  random  values.  If  a  query 
is  repeated,  we  answer  consistently.  We  denote  the  probability  that  an  adversary  Adv  outputs  1  in  this 
experiment  by  output pdvp2- 

Exp  3  Experiment  Sel-Rand.  In  the  key  query  phase,  the  key  for  each  function  /,  corresponding  to  prefix 
Pi  is  obtained  (honestly)  by  following  the  corresponding  path  in  GGM  tree,  and.  In  the  challenge 
phase,  the  adversary’s  evaluation  queries  (to  values  not  computable  by  himself  already)  are  answered 
with  random  values.  If  a  query  is  repeated,  we  answer  consistently.  We  denote  the  probability  that  an 
adversary  Adv  outputs  1  in  this  experiment  by  output ppffz- 

Note  that  that  experiment  described  in  Exp  1  is  Experiment  Sel-PRand  in  the  Functional  PRF  definition, 
and  the  experiment  described  in  Exp  3  is  Experiment  Sel-Rand. 

Lemma  5.6.  For  any  PPT  adversary  Adv 

\outputE%i  -  outputEdxvp2\  =  negl(n). 

Proof.  Suppose  there  exists  an  adversary  Adv,  such  that  | outputJ^f’pl  —  output^!’p2\  =  e(n)  for  some  non- 
negligible  e(n).  Wlog,  assume  that  output, ^'^,2  —  output,  =  e(n)  >  0.  We  claim  that  we  can  use  Adv  to 
construct  an  adversary  Appc  that  breaks  the  security  of  the  underlying  pseudorandom  generator.  Recall 
in  the  PRG  challenge,  Appc  receives  a  polynomial-sized  set  of  values,  which  are  either  random  or  random 
outputs  of  the  PRG. 

We  use  a  hybrid  argument,  and  define  Exp1  for  i  £  [n\.  The  value  i  corresponds  to  the  level  of  the  tree 
where  Aprg  wih  place  his  challenge  values  when  interacting  with  Adv. 

In  Exp 1 ,  in  the  key  query  phase,  the  key  for  each  function  /)■  corresponding  to  prefix  Pj  of  length  \P3  =  m 
is  computed  as  follows: 

•  if  no  other  queried  prefix  is  a  prefix  of  Pj  and  m  <  i,  return  a  random  string  of  size  n. 

•  if  no  other  queried  prefix  is  a  prefix  of  Pj  and  m  >  i,  set  the  label  of  Pfs  ancestor  on  the  ith  level  to 
a  randomly  sampled  n-bit  string,  and  then  apply  the  pseudorandom  generators  to  it  as  in  the  GGM 
construction  according  to  the  remaining  bits  of  Pj  until  the  rnth  level,  and  return  the  resulting  string 
of  size  n. 

•  if  some  other  queried  prefix  is  a  prefix  of  Pj ,  let  skfh  be  the  key  corresponding  to  the  shortest  such 
queried  prefix  Ph .  To  obtain  the  key  for  Pj ,  apply  the  pseudorandom  generators  to  sk fh  as  in  the  GGM 
construction  according  to  the  remaining  bits  of  Pj,  up  to  the  mth  level  of  the  tree. 

In  the  challenge  phase,  the  answers  to  the  adversary’s  evaluation  queries  x  are  computed  as  follows: 

•  let  denote  the  z-bit  prefix  of  the  queried  input  x.  If  the  node  corresponding  to  in  the  tree 
has  not  yet  been  labeled,  then  a  random  value  is  chosen  and  set  as  this  label.  The  response  to  the 
adversary’s  query  is  then  computed  by  applying  the  PRGs  to  the  label,  as  determined  by  the  (i  + 1)  to 
n  bits  of  the  queried  input  x. 

Since  output^ ^.p2  ~  ou^Pu^Exp l  =  e(n)>  there  must  exist  an  i  such  that: 

Pr[Adv  — >  1  in  Exp1]  —  Pr[Adv  — ►  1  in  Expl+1]  > 

Our  constructed  PRG  adversary  Aprg  plays  the  role  of  the  challenger  in  the  game  with  Adv,  chooses  a 
random  i  £  [n]  and  places  his  PRG  challenges  there.  That  is,  in  the  key  query  phase,  Aprg  computes  the 
keys  for  functions  /,  corresponding  to  prefix  Pj,  of  length  Pj  =  m  as  follows: 
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•  if  no  other  queried  prefix  is  a  prefix  of  Pj  and  m  <  i,  return  a  a  random  string  of  size  n. 

•  if  no  other  queried  prefix  is  a  prefix  of  Pj  and  m  =  i,  return  one  of  Aprg’s  challenge  values. 

•  if  no  other  queried  prefix  is  a  prefix  of  Pj  and  in  >  i,  set  a  challenge  string  as  the  ancestor  of  Pj  on  the 

ith  level,  and  then  apply  the  pseudorandom  generators  to  it  as  in  the  GGM  construction  until  the  mth 

level  and  return  the  resulting  string  of  size  n. 

•  if  some  other  queried  prefix  is  a  prefix  of  Pj,  let  skfh  be  the  key  corresponding  to  the  shortest  such 
queried  prefix,  Ph-  To  obtain  the  key  for  Pj,  apply  the  pseudorandom  generators  to  skfh  as  in  the 
GGM  construction,  up  to  the  rnth  level  of  the  tree. 

In  the  challenge  phase,  the  answers  to  the  adversary’s  evaluation  queries  x  are  computed  as  follows: 

•  let  x W  denote  the  i-bit  prefix  of  the  queried  input  x.  If  the  node  corresponding  to  x W  in  the  tree  has 
not  yet  been  labeled,  then  one  of  Aprg’s  challenge  values  is  chosen  and  set  as  the  label.  The  response 
to  the  adversary’s  query  is  then  computed  by  applying  the  PRGs  to  the  label,  as  determined  by  the 
(i  +  1)  to  n  bits  of  the  queried  input  x. 

Comparing  the  experiment  above  to  Exp1  and  Expl+1 ,  we  can  see  that,  if  the  inputs  to  Aprg  are  random, 
APrg  behaves  as  the  challenger  in  Exp1 ,  and  if  they  are  the  output  of  a  PRG,  he  behaves  as  the  challenger 
in  Exp1+1. 

At  the  end  Aprg  outputs  the  same  answer  as  Adv  in  its  own  security  game. 

Pr  [APRg  guesses  correctly  ] 

=  ^  Pr  [APrg  — >  1 1  challenge  values  random]  +  ^  Pr  [APRg  — >  0|  challenge  values  are  output  of  a  PRG] 

=  -  Pr[Adv  outputs  1  in  Exp1  ]  +  -  Pr[Adv  outputs  0  in  Exp1+1] 

=  ^  Pr[Adv  outputs  1  in  Exp1  ]  +  ^(1  —  Pr[Adv  outputs  1  in  Exp1+1]) 

=  -  +  -(Pr[Adv  outputs  1  in  Exp1  }  —  Pr[Adv  outputs  1  in  Expl+1\) 

1  e(n) 

~  2  2  n 

If  e(n)  is  non-negligible,  Aprg  can  distinguish  between  random  values  and  outputs  of  a  pseudorandom 
generator  with  non-negligible  advantage,  which  would  break  the  security  of  the  underlaying  pseudorandom 
generator.  This  completes  the  proof  of  the  lemma. 

□ 


Lemma  5.7.  For  any  PPT  adversary  Adv 

\outputidxvp2  -  output Edvp3\  =  negl(n). 

Proof.  We  use  a  similar  hybrid  argument:  In  Exp1,  in  the  key  query  phase,  the  key  for  the  functions 
corresponding  to  prefix  Pj,  of  length  \Pj\  =  m  is  computed  as  before: 

•  if  no  other  queried  prefix  is  a  prefix  of  Pj  and  m  <  i,  return  a  random  string  of  size  n. 

•  if  no  other  queried  prefix  is  a  prefix  of  Pj  and  m  >  i,  set  a  random  string  as  the  parent  of  Pj  on  the 
ith  level,  and  then  apply  the  pseudorandom  generators  to  it  as  in  the  GGM  construction  until  the  rnth 
level  and  return  the  resulting  string  of  size  n. 

•  if  some  other  queried  prefix  is  a  prefix  of  Pj,  let  skfh  be  the  key  corresponding  to  the  shortest  queried 
prefix  of  Pj,  Ph .  To  obtain  the  key  for  Pj,  apply  the  pseudorandom  generators  to  skfh  as  in  the  GGM 
construction,  up  to  the  mth  level  of  the  tree. 
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In  the  challenge  phase,  the  adversary’s  queries  are  answered  with  random  values,  unless  he  has  already 
received  a  key  that  allows  him  to  compute  the  PRF  on  his  queried  value,  in  which  case  the  query  is  answered 
consistently. 

The  first  hybrid,  Exp0 ,  is  Exp  3,  and  the  last  hybrid,  Expn  is  Exp  2.  □ 

From  the  previous  lemmas,  we  can  conclude  that,  for  any  PPT  adversary  Adv 

| output  j£vpl  -  outputHvp3\  =  negl(ra). 

This  is  equivalent  to  saying  that  no  PPT  adversary  can  distinguish  between  Experiment  Sel-PRand  and 
Experiment  Sel-Rancl  in  the  Functional  PRF  definition.  That  is,  the  construction  is  a  secure  F-PRF. 

□ 

Remark  5.8.  We  remark  that  one  can  directly  obtain  a  fully  secure  F-PRF  for  Epre  (as  in  Definition  5.1)  from 
our  selectively  secure  construction,  with  a  loss  of  ^  in  security  for  each  functional  secret  key  sk f_  queried  by 
the  adversary.  This  is  achieved  simply  by  guessing  the  adversary’s  query  fz  £  Epre.  For  appropriate  choices 
of  input  size  n  and  security  parameter  k,  this  can  still  provide  meaningful  security. 

As  an  immediate  corollary  of  Theorem  5.5,  we  obtain  a  (selectively  secure)  PRF  with  selective  access  for 
the  class  of  equivalent  prefix-matching  predicates  Vpre  =  {Pz  :  {0,1}"  -»  {0,  l}\z  €  {0,  l}m  for  m  <  n}, 
where  Pz(x)  :=  1  if  (x\  =  zf)  A  •  •  •  A  (xm  =  zm )  and  0  otherwise. 

Corollary  5.9.  Based  on  the  existence  of  one-way  functions,  the  GGM  pseudorandom  function  family 
together  with  algorithms  KeyGen  and  Eva  I  defined  as  above,  is  a  selectively  secure  functional  PRF  for  the 
class  of  predicates  Vpre  ■ 

Our  F-PRF  construction  has  the  additional  benefit  of  being  hierarchical.  That  is,  given  a  secret  key 
sk fz  for  a  prefix  z  €  {0,  l}m,  a  party  can  generate  subordinate  secret  keys  sk f  for  any  z'  £  {0,1}™  , 
m!  >  m  agreeing  with  z  on  the  first  m  bits.  This  secondary  key  generation  process  is  accomplished  simply 
by  applying  the  PR.Gs  to  sk/a,  traversing  the  GGM  tree  according  to  the  additional  bits  of  z' .  We  thus 
achieve  the  following  corollary. 

Corollary  5.10.  Based  on  the  existence  of  one-way  functions,  the  GGM  pseudorandom  function  family 
together  with  algorithms  KeyGen  and  Eva  I  defined  as  above,  is  a  (selectively  secure)  hierarchical  functional 
PRF  for  the  class  of  predicates  Vpre . 

The  pseudorandomness  property  can  be  proved  using  the  same  techniques  as  in  the  proof  of  Theorem  5.5. 

5.2.1  Punctured  Pseudorandom  Functions 

Punctured  PRFs,  formalized  by  [SW13],  are  a  special  case  of  functional  PRFs  where  one  can  generate  keys  for 
the  function  family  F  =  {fx(y)  =  y  if  y  ^  x,  and  J_  otherwise}.  Such  PRFs  have  recently  been  shown  to  have 
important  applications,  including  use  as  a  primary  technique  in  proving  security  of  various  cryptographic 
primitives  based  on  the  existence  of  indistinguislrability  obfuscation  (see,  e.g.,  [SW13,  HSW13]). 

The  existence  of  a  functional  PRF  for  the  prefix-fixing  function  family  gives  a  construction  of  punctured 
PRFs.  Namely,  a  punctured  key  skj,  allowing  one  to  compute  the  PRF  on  all  inputs  except  x  =  x\  . . .  xn  con¬ 
sists  of  n  functional  keys  for  the  prefix-fixing  function  family  for  prefixes:  (aq),  (aqaq),  (aqa^ath),  •  •  • ,  (aqaq  •  •  •  x, 
Our  GGM-based  construction  in  the  previous  section  thus  directly  yields  a  selectively  secure  punctured 
PRF  based  on  OWFs. 

Corollary  5.11  (Selectively-Secure  Punctured  PRFs).  Assuming  the  existence  of  OWF,  there  exists  a  se¬ 
lectively  secure  punctured  PRF  for  any  desired  poly-size  input  length. 
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When  considering  full  security,  this  may  seem  an  inhibiting  limitation,  as  na’ive  complexity  leveraging 
over  each  of  the  n  released  keys  would  incur  a  tremendous  loss  in  security.  However,  for  a  punctured  PRF, 
these  n  keys  are  not  independently  chosen:  rather,  there  is  a  one-to-one  correspondence  between  the  input 
x  that  is  punctured,  and  corresponding  set  of  n  prefix- fixing  keys  we  give  out.  This  means  there  are  only 
2n  possible  sets  of  key  queries  made  by  a  punctured  PRF  adversary  (as  opposed  to  2n  possible  choices  of 
n  independent  prefix  queries),  and  thus,  in  the  full-to-selective  security  reduction,  we  lose  only  a  factor  of 
2~n  in  the  security  (as  the  reduction  needs  only  to  guess  which  of  these  2"  query  sets  will  be  made  by  the 
adversary).  Given  a  desired  level  of  security  k  and  input  size  n  =  n(k),  and  assuming  an  underlying  OWF 
secure  against  all  adversaries  that  run  in  time  2K  when  implemented  with  security  parameter  K  for  some 
constant  0  <  e  <  1,  then  by  setting  K  =  n 1/e,  we  obtain  a  fully  secure  puncturable  PRF. 

Corollary  5.12.  Assuming  the  existence  of  2K  -hard  OWF  for  security  parameter  K  and  some  constant 
0  <  e,  there  exists  a  (fully)  secure  punctured  PRF  for  any  desired  poly-size  input  length. 
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Aggregate  Pseudorandom  Functions 
and  Connections  to  Learning 

Aloni  Cohen*  Shah  GoldwasseF  Vinod  VaikuntanathaiF 


Abstract 

In  the  first  part  of  this  work,  we  introduce  a  new  type  of  pseudo-random  function  for  which 
“aggregate  queries”  over  exponential-sized  sets  can  be  efficiently  answered.  We  show  how  to 
use  algebraic  properties  of  underlying  classical  pseudo  random  functions,  to  construct  such  “ag¬ 
gregate  pseudo-random  functions”  for  a  number  of  classes  of  aggregation  queries  under  crypto¬ 
graphic  hardness  assumptions.  For  example,  one  aggregate  query  we  achieve  is  the  product  of  all 
function  values  accepted  by  a  polynomial-sized  read-once  boolean  formula.  On  the  flip  side,  we 
show  that  certain  aggregate  queries  are  impossible  to  support.  Aggregate  pseudo-random  func¬ 
tions  fall  within  the  framework  of  the  work  of  Goldreich,  Goldwasser,  and  Nussboim  [GGN10]  on 
the  “Implementation  of  Huge  Random  Objects,”  providing  truthful  implementations  of  pseudo¬ 
random  functions  for  which  aggregate  queries  can  be  answered. 

In  the  second  part  of  this  work,  we  show  how  various  extensions  of  pseudo-random  functions 
considered  recently  in  the  cryptographic  literature,  yield  impossibility  results  for  various  exten¬ 
sions  of  machine  learning  models,  continuing  a  line  of  investigation  originated  by  Valiant  and 
Kearns  in  the  1980s.  The  extended  pseudo-random  functions  we  address  include  constrained 
pseudo  random  functions,  aggregatable  pseudo  random  functions,  and  pseudo  random  functions 
secure  under  related-key  attacks.1 
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1  Introduction 


Pseudo-random  functions  (PRF),  introduced  by  Goldreich,  Goldwasser  and  Micali  [GGM86],  are 
a  family  of  indexed  functions  for  which  there  exists  a  polynomial-time  algorithm  that,  given  an 
index  (which  can  be  viewed  as  a  secret  key)  for  a  function,  can  evaluate  it,  but  no  probabilistic 
polynomial-time  algorithm  without  the  secret  key  can  distinguish  the  function  from  a  truly  random 
function  -  even  if  allowed  oracle  query  access  to  the  function.  Pseudo-random  functions  have  been 
shown  over  the  years  to  be  useful  for  numerous  cryptographic  applications.  Interestingly,  aside  from 
their  cryptographic  applications,  PRFs  have  also  been  used  to  show  impossibility  of  computational 
learning  in  the  membership  queries  model  [Val84],  and  served  as  the  underpinning  of  the  proof  of 
Razborov  and  Rudich  [RR97]  that  natural  proofs  would  not  suffice  for  unrestricted  circuit  lower 
bounds. 

Since  their  inception  in  the  mid  eighties,  various  augmented  pseudo  random  functions  with 
extra  properties  have  been  proposed,  enabling  more  sophisticated  forms  of  access  to  PRFs  and 
more  structured  forms  of  PRFs.  This  was  first  done  in  the  work  of  Goldreich,  Goldwasser,  and 
Nussboim  [GGN10]  on  how  to  efficiently  construct  “huge  objects”  (e.g.  a  large  graph  implicitly 
described  by  access  to  its  adjacency  matrix)  which  maintain  combinatorial  properties  expected  of  a 
random  “huge  object.”  Furthermore,  they  show  several  implementations  of  varying  quality  of  such 
objects  for  which  complex  global  properties  can  be  computed,  such  as  computing  cliques  in  a  random 
graph,  computing  random  function  inverses  from  a  point  in  the  range,  and  computing  the  parity 
of  a  random  function’s  values  over  huge  sets.  More  recently,  further  augmentations  of  PRFs  have 
been  proposed,  including:  the  works  on  constrained  PRFs2  [KPTZ13a,  BGI14a,  BW13a]  which  can 
release  auxiliary  secret  keys  whose  knowledge  enables  computing  the  PRF  in  a  restricted  number  of 
locations  without  compromising  pseudo-randomness  elsewhere;  key- homomorphic  PRFs  [BLMR13] 
which  are  homomorphic  with  respect  to  the  keys;  and  related-key  secure  PRFs  [BC10,  ABPP14], 
These  constructions  yield  fundamental  objects  with  often  surprising  applications  to  cryptography 
and  elsewhere.  A  case  in  point  is  the  truly  surprising  use  of  constrained  PRFs  [SW14],  to  show 
that  indistinguishability  obfuscation  can  be  used  to  resolve  a  long-standing  problem  of  deniable 
encryption,  among  many  others. 

In  the  first  part  of  this  paper,  we  introduce  a  new  type  of  augmented  PRF  which  we  call 
aggregate  pseudo  random  functions  (AGG-PRF).  An  AGG-PRF  is  a  family  of  indexed  functions  each 
associated  with  a  secret  key,  such  that  given  the  secret  key ,  one  can  compute  aggregates  of  the  values 
of  the  function  over  super-polynomially  large  sets  in  polynomial  time ;  and  yet  without  the  secret 
key,  access  to  such  aggregated  values  cannot  enable  a  polynomial  time  adversary  (distinguisher) 
to  distinguish  the  function  from  random,  even  when  the  adversary  can  make  aggregate  queries. 
Note  that  the  distinguisher  can  request  and  receive  an  aggregate  of  the  function  values  over  sets 
(of  possibly  super-polynomial  size)  that  she  can  specify.  Examples  of  aggregate  queries  can  be  the 
sum/product  of  all  function  values  belonging  to  an  exponential-sized  interval,  or  more  generally,  the 
sum/product  of  all  function  values  on  points  for  which  some  polynomial  time  predicate  holds.  Since 
the  sets  over  which  our  function  values  are  aggregated  are  super-polynomial  in  size,  they  cannot 
be  directly  computed  by  simply  querying  the  function  on  individual  points.  AGG-PRFs  cast  in 
the  framework  of  [GGN10]  are  (truthful,  pseudo)  implementations  of  random  functions  supporting 
aggregates  as  their  “complex  queries.”  Indeed,  our  first  example  of  an  AGG-PRF  for  computing 
parities  over  exponential-sized  intervals  follows  directly  from  [GGN10]  under  the  assumption  that 

2Constrained  PRFs  are  also  known  as  Functional  PRFs  and  as  Delegatable  PRFs. 
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one-way  functions  exist. 

We  show  AGG-PRFs  under  various  cryptographic  hardness  assumptions  (one-way  functions  and 
DDH)  for  a  number  of  types  of  aggregation  operators  such  as  sums  and  products  and  for  a  number  of 
set  systems  including  intervals,  hypercubes,  and  (the  supports  of)  restricted  computational  models 
such  as  decision  trees  and  read-once  Boolean  formulas.  We  also  show  negative  results:  there  are  no 
AGG-PRFs  for  more  expressive  set  systems  such  as  (the  supports  of)  CNF  formulas.  For  a  detailed 
description  of  our  results,  see  Section  1.1. 

In  the  second  part  of  this  paper,  we  embark  on  a  study  of  the  connection  between  the  new 
augmented  PRF  constructions  of  recent  years  (constrained,  related-key,  aggregate)  and  the  theory 
of  computational  learning.  We  recall  at  the  outset  that  the  fields  of  cryptography  and  machine 
learning  share  a  curious  historical  relationship.  The  goals  are  in  complete  opposition  and  at  the 
same  time  the  aesthetics  of  the  models,  definitions  and  techniques  bear  a  striking  similarity.  For 
example,  a  cryptanalyst  can  attack  a  cryptosystem  using  a  range  of  powers  from  only  seeing  cipher- 
text  examples  to  requesting  to  see  decryptions  of  ciphertexts  of  her  choice.  Analogously,  machine 
learning  allows  different  powers  to  the  learner  such  as  random  examples  versus  membership  queries 
and  shows  that  certain  powers  allow  learners  to  learn  concepts  in  polynomial  time  whereas  others 
will  fail.  Even  more  directly,  problems  which  pose  challenges  for  machine  learning  such  as  Learning 
Parity  with  Noise  (LPN)  have  been  used  as  the  underpinning  for  building  secure  cryptosystems, 
and  as  mentioned  above  [Val84]  observes  that  the  existence  of  PRFs  in  a  complexity  class  C  implies 
the  existence  of  concept  classes  in  C  which  can  not  be  learned  under  membership  queries,  and 
[KV94]  extends  this  direction  to  some  public  key  constructions. 

In  the  decades  since  the  introduction  of  PAC  learning,  new  computational  learning  models  have 
been  proposed,  such  as  the  recent  “restriction  access”  model  [DRWY12]  which  allows  the  learner  to 
interact  with  the  target  concept  by  asking  membership  queries,  but  also  to  obtain  an  entire  circuit 
that  computes  the  concept  on  a  random  subset  of  the  inputs.  For  example,  in  one  shot,  the  learner 
can  obtain  a  circuit  that  computes  the  concept  class  on  all  n-bit  inputs  that  start  with  n/2  zeros. 
At  the  same  time,  the  cryptographic  research  landscape  has  been  swiftly  moving  in  the  direction  of 
augmenting  traditional  PRFs  and  other  cryptographic  primitives  to  include  higher  functionalities. 
This  brings  to  mind  natural  questions: 

•  Can  one  leverage  augmented  pseudo-random  function  constructions  to  establish  limits  on  what 
can  and  cannot  be  learned  in  augmented  machine  learning  models ? 

•  Going  even  further  afield,  can  augmented  cryptographic  constructs  suggest  interesting  learning 
models? 

We  address  these  questions  in  the  second  part  of  this  paper.  For  a  detailed  description  of  our 
findings,  see  Section  1.2. 

1.1  Our  Results:  Aggregate  Pseudo  Random  Functions 

Aggregate  Pseudo  Random  Functions  (AGG-PRF)  are  indexed  families  of  pseudo-random  functions 
for  which  a  distinguisher  (who  runs  in  time  polynomial  in  the  security  parameter)  can  request  and 
receive  the  value  of  an  aggregate  (for  example,  the  sum  or  the  product)  of  the  function  values  over 
certain  large  sets  and  yet  cannot  distinguish  oracle  access  to  the  function  from  oracle  access  to  a 
truly  random  function.  At  the  same  time,  given  the  function  index  (in  other  words,  the  secret  key), 
one  can  compute  such  aggregates  over  potentially  super-polynomial  size  sets  in  polynomial  time. 
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Such  an  efficent  aggregation  algorithm  cannot  possibly  exist  for  random  functions.  Thus,  this  is 
a  PRF  family  that  is  very  unlike  random  functions  (in  the  sense  of  being  able  to  efficiently  ag¬ 
gregate  over  superpolynomial  size  sets),  and  yet  is  computationally  indistinguishable  from  random 
functions. 

To  make  this  notion  precise,  we  need  two  ingredients.  Let  T  =  {-F"a}a>o  where  each  T\  =  {fx  '■ 
D a  -»  1Z\}k£K.x  is  a  collection  of  functions  on  a  domain  V\  to  a  range  1Z\ ,  computable  in  time 
poly  (A). 3  The  first  ingredient  is  a  collection  of  sets  (also  called  a  set  system)  S  =  {5  C  V}  over 
which  the  aggregates  can  be  efficiently  computed  given  the  index  K  of  the  function.  The  second 
ingredient  is  an  aggregation  function  T  :  1Z*  — >  {0, 1}*  which  takes  as  input  a  tuple  of  function 
values  {/(x)  :  x  G  S'}  for  some  set  S  £  S  and  outputs  the  aggregate  T(/(x i), . . . ,  f(x\s\))- 

The  sets  are  typically  super-polynomially  large,  but  are  efficiently  recognizable.  That  is,  for  each 
set  S,  there  is  a  corresponding  poly(A)-size  circuit  Cs  that  takes  as  input  an  x  £  V  and  outputs  1  if 
and  only  if  x  G  S.  1  Throughout  this  paper,  we  will  consider  relatively  simple  aggregate  functions, 
namely  we  will  treat  the  range  of  the  functions  as  an  Abelian  group,  and  will  let  T  denote  the 
group  operation  on  its  inputs.  Note  that  the  input  to  T  is  super-polynomially  large  (in  the  security 
parameter  A),  making  the  aggregate  computation  non-trivial. 

This  family  of  functions,  equipped  with  a  set  system  S  and  an  aggregation  function  T  is  called 
an  aggregate  PRF  family  (AGG-PRF)  if  the  following  two  requirements  hold: 

1.  Aggregatability:  There  exists  a  polynomial  (in  the  security  parameter  A)  time  algorithm  that 
given  an  index  I\  to  the  PRF  fx  6  T  and  a  circuit  Cs  that  recognizes  a  set  S  £  S,  can 
compute  T  over  the  PRF  values  fx(x)  for  all  x  €  S.  That  is,  it  can  compute 

AGGk,t(S)  :=  FxeS  fK{x) 

2.  Pseudorandomness:  No  polynomial-time  distinguisher  which  can  specify  a  set  S  £  5  as  a 
query  and  can  receive  as  an  answer  either  AGGx,r(S)  for  a  random  function  fx  £  J~  or 
AGGh,r{S)  for  a  truly  random  functions  h,  can  distinguish  between  the  two  cases. 

We  show  a  number  of  constructions  of  AGG-PRF  for  various  set  systems  under  different  cryp¬ 
tographic  assumptions.  We  describe  our  constructions  below,  starting  from  the  least  expressive  set 
system. 

Interval  Sets.  We  first  present  AGG-PRFs  over  interval  set  systems  with  respect  to  aggregation 
functions  that  compute  any  group  operation.  The  construction  can  be  based  on  any  (standard) 
PRF  family. 

Theorem  1.1  (Group  summation  over  intervals,  from  one-way  functions  [GGN10]).  5  Assume 
one-way  functions  exist.  Then,  there  exists  an  AGG-PRF  family  that  maps  Zp  to  a  group  G,  with 
respect  to  a  collection  of  sets  defined  by  intervals  [a,  b]  C  Zp  and  the  aggregation  function  computing 
the  group  operation  on  G. 

3In  this  informal  exposition,  for  the  sake  of  brevity,  we  will  sometimes  omit  the  security  parameter  and  refrain 
from  referring  to  ensembles. 

4A11  the  sets  we  consider  are  efficiently  recognizable,  and  we  use  the  corresponding  circuit  as  the  representation 
of  the  set.  We  occasionally  abuse  notation  and  use  S  and  Cs  interchangeably. 

’’Observed  even  earlier  by  Reingold  and  Naor  and  appeared  in  [GGI+02]  in  the  context  of  small  space  streaming 
algorithms 
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The  construction  works  as  follows.  Let  F  :  {0,  l}n  x  {0,  l}n  — >  {0, 1}  be  a  (standard)  pseudo¬ 
random  function  family  based  on  the  existence  of  one-way  functions  [GGM86,  HILL99].  Construct 
an  AGG-PRF  family  G  supporting  efficient  computation  of  group  aggregation  functions.  Define 

G(k,  x )  =  F[k,  x )  —  F(k,  x  —  1) 


To  aggregate  G,  set 

Y  G(k,  x )  =  F{k,  b )  -  F{k,  a-  1) 

xG[a,b] 

Given  k,  this  can  be  efficiently  evaluated. 

Another  construction  from  [GGN10]  achieves  summation  over  the  integers  for  PRFs  whose 
range  is  {0, 1}.  We  omit  the  details  of  the  construction,  but  state  the  theorem  for  completeness. 

Theorem  1.2  (Integer  summation  over  intervals,  from  one-way  functions  [GGN10]).  Assume  one¬ 
way  functions  exist.  Then,  there  exists  an  AGG-PRF  family  that  maps  Z2a  to  {0, 1},  with  respect 
to  a  collection  of  sets  defined  by  intervals  [a,  6]  C  Z2a  and  the  aggregation  function  computing  the 
summation  over  Z. 

Hypercubes.  We  next  construct  AGG-PRFs  over  hypercube  set  systems.  This  partially  ad¬ 
dresses  Open  Problem  5.4  posed  in  [GGN10],  whether  one  can  efficiently  implement  a  random 
function  with  range  {0, 1}  with  complex  queries  that  compute  parities  over  the  function  values  on 
hypercubes.  Under  subexponential  DDH  hardness,  Theorem  1.3  answers  the  question  for  products 
rather  than  parities  for  a  function  whose  range  is  a  DDH  group. 

Throughout  this  section,  we  take  T>\  =  {0,  l}f  for  some  polynomial  l  =  £( A).  A  hypercube  Sy 
is  defined  by  a  vector  y  e  {0, 1,*}^  as 

Sy  =  {x  e  {0, 1 Y  :  Vi,  yt  =  *  or  xt  =  yj 

We  present  a  construction  under  the  sub-exponential  DDH  assumption. 

Theorem  1.3  (Hypercubes  from  DDH).  Let  TIC  =  {TLC^x)}\> o  where  TLCi  =  {0, 1,*}^  be  the  set 
of  hypercubes  on  {0,  l}e.  Then,  there  is  a  construction  of  AGG-PRF  supporting  the  set  system  TLC 
with  the  product  aggregation  function,  assuming  the  subexponential  DDH  assumption. 

We  sketch  the  construction  from  DDH  below.  Our  DDH  construction  is  the  Naor-Reingold 
PRF  [NR04].  Namely,  the  function  is  parametrized  by  an  Gtuple  k  =  (k\, . . . ,  ki)  and  is  defined  as 

F{k,  x)  =  yn^=i kl 

Let  us  illustrate  aggregation  over  the  hypercube  y  =  (1,0,*,*,  ...,*).  To  aggregate  the  function 
F,  observe  that 

1 1  F(k,x)=  J]  gn^k" 

{ X :  351  =  1, *2=0}  {x\  £1  =  1, £2=0} 

—  gSC{x:x i=l,X2=0}  — 1 

=  „(fcl )  (1)  (fc2+l)  (fes+l)  —  (fc^+1) 

which  can  be  efficiently  computed  given  k. 
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Decision  Trees.  A  decision  tree  T  on  £  variables  is  a  binary  tree  where  each  internal  node  is 
labeled  by  a  variable  x*,  the  leaves  are  labeled  by  either  0  or  1,  one  of  the  two  outgoing  edges  of 
an  internal  node  is  labeled  0,  and  the  other  is  labeled  1.  Computation  of  a  decision  tree  on  an 
input  (xi, . . .  ,xg)  starts  from  the  root,  and  at  each  internal  node  n,  proceeds  by  taking  either  the 
0-outgoing  edge  or  1-outgoing  edge  depending  on  whether  xn  =  0  or  xn  =  1,  respectively.  Finally, 
the  output  of  the  computation  is  the  label  of  the  leaf  reached  through  this  process.  The  size  of  a 
decision  tree  is  the  number  of  nodes  in  the  tree. 

A  decision  tree  T  defines  a  set  S  =  St  =  {x  €  {0, 1 Y  :  T(x)  =  1}.  We  show  how  to  compute 
product  aggregates  over  sets  defined  by  polynomial  size  decision  trees,  under  the  subexponential 
DDH  assumption. 

The  construction  is  simply  a  result  of  the  observation  that  the  set  S  =  St  can  be  written  as  a 
disjoint  union  of  polynomially  many  hypercubes.  Computing  aggregates  over  each  hypercube  and 
multiplying  the  results  together  gives  us  the  decision  tree  aggregate. 

Theorem  1.4  (Decision  Trees  from  DDH).  Assuming  the  sub- exponential  hardness  of  the  decisional 
Diffie-Hellman  assumption,  there  is  an  AGG-PRF  that  supports  aggregation  over  sets  recognized  by 
polynomial-size  decision  trees. 

Read-Once  Boolean  Formulas.  Finally,  we  show  a  construction  of  AGG-PRF  over  read-once 
Boolean  formulas,  the  most  expressive  of  our  set  systems,  under  the  subexponential  DDH  assump¬ 
tion.  A  read-once  Boolean  formula  a  Boolean  circuit  composed  of  AND,  OR  and  NOT  gates  with 
fan-out  1,  namely  each  input  literal  feeds  into  at  most  one  gate,  and  each  gate  output  feeds  into  at 
most  one  other  gate.  Thus,  a  read-once  formula  can  be  written  as  a  binary  tree  where  each  internal 
node  is  labeled  with  an  AND  or  OR  gate,  and  each  literal  (variable  or  its  negation)  appears  in  at 
most  one  leaf. 

Theorem  1.5  (Read-Once  Boolean  Formulas  from  DDH).  Under  the  subexponential  decisional 
Diffie-Hellman  assumption,  there  is  an  AGG-PRF  that  supports  aggregation  over  sets  recognized  by 
read-once  Boolean  formulas. 

Our  aggregate  PRF  is,  once  again,  the  Naor-Reingold  PRF.  The  index  of  the  PRF  consists  of 
a  (£  +  l)-tuple  of  integers  in  Zp,  namely  K  =  (Kq,  . . . ,  Kg)  £  Zp+1.  The  function  is  defined  as 

fg{x)=gK°n«wK? 

We  compute  aggregates  by  recursion  on  the  levels  of  the  formula.  We  start  by  noting  that  it  is 
enough  to  compute 

^(C',1):=  e  II  K? 

x:C(x)= 1  iG[ 

because  once  this  is  done,  it  is  easy  to  compute 

n  f&)=9Ko  A{c’i) 

x:C(x)= 1 


For  the  purposes  of  this  informal  exposition,  assume  that  l  is  a  power  of  two.  Let  C  be  the 
formula,  with  either  C  =  Cl  A  Cr  or  (7  =  Cl  V  Cr  for  subformula  Cl  and  Cr.  We  show  how  to 
recursively  compute  A{C,  1)  for  these  sub-circuits  and  thus  for  C. 
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Limits  of  Aggregation.  A  natural  question  to  ask  is  whether  one  can  support  aggregation  over 
sets  defined  by  general  circuits.  It  is  however  easy  to  see  that  you  cannot  support  any  class  of  circuits 
for  which  deciding  satisfiability  is  hard  (for  example,  AC0),  or  even  ones  for  which  counting  the 
number  of  SAT  assignments  is  hard  (DNFs,  for  example)  as  follows.  Suppose  C  is  a  circuit  which  is 
either  unsatisfiable  or  has  a  unique  SAT  assignment.  Solving  satisfiability  for  such  circuits  is  known 
to  be  sufficient  to  solve  SAT  in  general  [VV86].  The  algorithm  for  SAT  simply  runs  the  aggregator 
with  a  random  PRF  key  K,  and  outputs  YES  if  and  only  if  the  aggregator  returns  a  non-zero  value. 
Note  that  if  the  formula  is  unsatisfiable,  we  will  always  get  0  from  the  aggregator.  Otherwise,  we  get 
fk(x),  where  x  is  the  (unique)  satisfying  assignment.  Now,  this  might  end  up  being  0  accidentally, 
but  cannot  be  0  always  since  otherwise,  we  will  turn  it  into  a  PRF  distinguisher.  The  distinguisher 
has  the  satisfying  assignment  hardcoded  into  it  non- uniformly,  and  it  simply  checks  if  PRFk(x)  is 
0. 

Theorem  1.6  (Impossibility  for  General  Set  Systems).  Suppose  there  is  an  efficient  algorithm 
which  on  an  index  for  f  6  T ,  a  set  system  defined  by  {x  :  C(x)  =  1}  for  a  polynomial  size 
Boolean  circuit  C ,  and  an  aggregation  function  T,  outputs  the  V X:c(x)=ifix)  ■  Then,  there  is  efficient 
algorithm  that  takes  circuits  C  as  input  and  w.h.p.  over  its  coins,  decides  satisfiability  for  C. 

1.1.1  Related  Work  to  Aggregate  PRFs 

As  described  above,  the  work  of  [GGN10]  studies  the  general  question  of  how  one  can  efficiently 
construct  random,  “close-to”  random,  and  “pseudo-random”  large  objects,  such  as  functions  or 
graphs,  which  “truthfully”  obey  global  combinatorial  properties  rather  simply  appearing  to  do  so 
to  a  polynomial  time  observer. 

Formally,  using  the  [GGN10]  terminology,  a  PRF  is  a  pseudo-implementation  of  a  random 
function,  and  an  AGG-PRF  is  a  pseudo-implementation  of  a  ’’random  function  that  also  answers 
aggregate  queries”  (as  we  defined  them).  Furthermore,  the  aggregatability  property  of  AGG-PRF 
implies  it  is  a  truthful  pseudo-implementation  of  such  a  function.  Whereas  in  this  work,  we  restrict 
our  attention  to  aggregate  queries,  [GGN10]  considers  additional  “complex-queries,”  such  as  in 
the  case  of  a  uniformly  selected  N  node  graph,  providing  a  clique  of  size  log2  N  that  contains  the 
queried  vertex  in  addition  to  answering  adjacency  queries. 

Our  notion  of  aggregate  PRFs  bears  resemblance  to  the  notion  of  “algebraic  PRFs”  defined 
in  the  work  of  Benabbas,  Gennaro  and  Vahlis  [BGV11].  There  are  two  main  differences.  First, 
algebraic  PRFs  support  efficient  aggregation  over  very  specific  subsets,  whereas  our  constructions 
of  aggregate  PRFs  support  expressive  subset  classes,  such  as  subsets  recognized  by  hypercubes, 
decision  trees  and  read-once  Boolean  formulas.  Secondly,  in  the  security  notion  for  aggregate 
PRFs,  the  adversary  obtains  access  to  an  oracle  that  computes  the  function  as  well  as  one  that 
computes  the  aggregate  values  over  super-polynomial  size  sets,  whereas  in  algebraic  PRFs,  the 
adversary  is  restricted  to  accessing  the  function  oracle  alone.  Our  constructions  from  DDH  use  an 
algebraic  property  of  the  Naor- Reingold  PRF  in  a  similar  manner  as  in  [BGV11]. 

1.2  Our  Results:  Augmented  PRFs  and  Computational  Learning 

As  discussed  above,  connections  between  PRFs  and  learning  theory  date  back  to  the  80’s  in  the 
pioneering  work  of  [Val84]  showing  that  PRF  in  a  complexity  class  C  implies  the  existence  of 
concept  classes  in  C  which  can  not  be  learned  with  membership  queries.  In  the  second  part 
of  this  work,  we  study  the  implications  of  the  slew  of  augmented  PRF  constructions  of  recent 
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years  [BW13a,  BGI14a,  KPTZ13b,  BC10,  ABPP14]  and  our  new  aggregate  PRF  to  computational 
learning. 

1.2.1  Constrained  PRFs  and  limits  on  Restriction  Access  learnability 

Recently,  Dvir,  Rao,  Wigderson,  and  Yehudayoff  [DRWY12]  introduced  a  new  learning  model 
where  the  learner  is  allowed  non-black-box  information  on  the  computational  device  (such  as  cir¬ 
cuits,  DNF, formulas)  that  decides  the  concept;  their  learner  receives  a  simplified  device  resulting 
from  partial  assignments  to  input  variables  (i.e.  restrictions).  These  partial  restrictions  lie  some¬ 
where  in  between  function  evaluation  (full  restrictions)  which  correspond  to  learning  with  mem¬ 
bership  queries  and  the  full  description  of  the  original  device  (the  empty  restriction).  The  work  of 
[DRWY12]  studies  a  PAC  version  of  restriction  access,  called  PAC/jA)  where  the  learner  receives 
the  circuit  restricted  with  respect  to  random  partial  assignments.  They  show  that  both  decision 
trees  and  DNF  formulas  can  be  learned  efficiently  in  this  model.  Indeed,  the  PAC^a  model  seems 
like  quite  a  powerful  generalization,  if  not  too  unrealistic,  of  the  traditional  PAC  learning  model, 
as  it  returns  to  the  learner  a  computational  description  of  the  simplified  concept. 

Yet,  in  this  section  we  will  show  limitations  of  this  computational  model  under  cryptographic 
assumptions.  We  show  that  the  constrained  pseudo-random  function  families  introduced  recently 
in  [BW13b,  BGI14b,  KPTZ13a]  naturally  define  a  concept  class  which  is  not  learnable  by  an  even 
stronger  variant  of  the  restriction  access  learning  model  which  we  define.  In  the  stronger  variant, 
which  we  name  membership  queries  with  restriction  access  ( M Qra )  the  learner  can  adaptively  spec¬ 
ify  any  restriction  of  the  circuit  from  a  specified  class  of  restrictions  S  and  receive  the  simplified 
device  computing  the  concept  on  this  restricted  domain  in  return.  As  this  setting  requires  sub¬ 
stantial  notation,  we  define  this  new  model  very  informally,  and  defer  the  formal  definitions  and 
theorems  to  the  full  version. 

Definition  1.1  (Membership  queries  with  restriction  access  (MQra))-  Let  C  :  X  — >  {0, 1}  be  a 
concept  class,  and  S  =  {S  C  X}  be  a  collection  of  subsets  of  the  domain.  S  is  the  set  of  allowable 
restrictions  for  concepts  f  G  C.  Let  Simp  be  “ simplification  rule”  which,  for  a  concept  f  and 
restriction  S  outputs  a  “simplification”  of  f  restricted  to  S . 

An  algorithm  A  is  an  (e,  5,  a)-MQRAlearning  algorithm  for  representation  class  C  with  respect 
to  a  restrictions  in  S  and  simplification  rule  Simp  if,  for  every  f  e  C,  Pr[_-4SimpY’')  =  h\  >  1  —  6 
where  h  is  an  e-approximation  to  f  -  and  furthermore,  A  only  requests  restrictions  for  an  a-fraction 
of  the  whole  domain  X. 

Informally,  constrained  PRFs  are  PRFs  with  two  additional  properties:  1)  for  any  subset  S 
of  the  domain  in  a  specified  collection  S,  a  constrained  key  Kg  can  be  computed,  knowledge  of 
which  enables  efficient  evaluation  of  the  PRF  on  S';  and  2)  even  with  knowledge  of  constrained  keys 
Kg1 , . . . ,  Kgm  for  the  corresponding  subsets,  the  function  retains  pseudo-randomness  on  all  points 
not  covered  by  any  of  these  sets.  Connecting  this  to  restriction  access,  the  constrained  keys  will 
allow  for  generation  of  restriction  access  examples  (restricted  implementations  with  fixed  partial 
assignments)  and  the  second  property  implies  that  those  examples  do  not  aid  in  the  learning  of  the 
function. 

Theorem  1.7  (Informal).  Suppose  T  is  a  family  of  constrained  PRFs  which  can  be  constrained 
to  sets  in  S.  If  T  is  computable  in  circuit  complexity  class  C,  then  C  is  hard  to  MQ^A-l^^n  with 
restrictions  in  S. 
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Corollary  1.8  (Informal).  Existing  constructions  of  constrained  PRFs  [BW13a]  yield  the  following 
corollaries: 

•  If  one-way  functions  exist,  then  poly-sized  circuits  can  not  be  learned  with  restrictions  on 
sub-intervals  of  the  input-domain;  and 

•  Assuming  the  sub- exponential  hardness  of  the  multi-linear  Diffie- Heilman  problem,  NCl  can¬ 
not  be  learned  with  restriction  on  hypercubes. 

1.2.2  New  Learning  Models  Inspired  by  the  Study  of  PRFs 

We  proceed  to  define  two  new  learning  models  inspired  by  recent  directions  in  cryptography.  The 
first  model  is  the  related  concept  model  inspired  by  work  into  related-key  attacks  in  cryptography. 
While  we  have  cryptography  and  lower  bounds  in  mind,  we  argue  that  this  model  is  in  some  ways 
natural.  The  second  model,  learning  with  aggregate  queries,  is  directly  inspired  by  our  development 
of  aggregate  pseudo-random  functions  in  this  work;  rather  than  being  a  natural  model  in  its  own 
right,  this  model  further  illustrates  how  cryptography  and  learning  are  duals  in  many  senses. 

The  Related  Concept  Learning  Model  The  idea  that  some  functions  or  concepts  are  related 
to  one  another  is  quite  natural.  For  a  DNF  formula,  for  instance,  related  concepts  may  include 
formulas  where  a  clause  has  been  added  or  formulas  where  the  roles  of  two  variables  are  swapped. 
For  a  decision  tree,  we  could  consider  removing  some  accepting  leaves  and  examining  the  resulting 
behavior.  For  a  circuit,  a  related  circuit  might  alter  internal  gates  or  fix  the  values  on  some  wires. 
A  similar  phenomena  occurs  in  cryptography,  where  secret  keys  corresponding  to  different  instances 
of  the  same  cryptographic  primitive  or  even  secret  keys  of  different  cryptographic  primitives  are 
related  (if,  for  example,  they  were  generated  by  a  pseudo  random  process  on  the  same  seed). 

We  propose  a  new  computational  learning  model  where  the  learner  is  explicitly  allowed  to  specify 
membership  queries  not  only  for  the  concept  to  be  learned,  but  also  for  “related”  concepts,  given  by 
a  class  of  allowed  transformations  on  the  concept.  We  will  show  both  a  separation  from  membership 
queries,  and  a  general  negative  result  in  the  new  model.  Based  on  recent  constructions  of  related- 
key  secure  PRFs  by  Bellare  and  Cash  [BC10]  and  Abdalla  et  al  [ABPP14],  we  demonstrate  concept 
classes  for  which  access  to  these  related  concepts  is  of  no  help. 

To  formalize  the  related  concept  learning  model,  we  will  consider  keyed  concept  classes  -  classes 
indexed  by  a  set  of  keys.  This  will  enable  the  study  of  related  concepts  by  instead  considering 
concepts  whose  keys  are  related  in  some  way.  Most  generally,  we  think  of  a  key  as  a  succinct 
representation  of  the  computational  device  which  decides  the  concept.  This  is  a  general  framework; 
for  example,  we  may  consider  the  bit  representation  of  a  particular  log-depth  circuit  as  a  key  for 
a  concept  in  the  concept  class  NC1.  For  a  concept  /*,  in  concept  class  C,  we  allow  the  learner  to 
query  a  membership  oracle  for  ff  and  also  for  ‘related’  concepts  f^k)  £  Ck  for  (f>  in  a  specified  class 
of  allowable  functions  <b.  For  example:  let  K  =  {0, 1}A  and  let  =  {f>/\  :  k  i— )•  k  ©  A}a£{o,i}a- 
Informally: 

Definition  1.2  (4>-Related-Concept  Learning  Model  (4>-RC)).  For  Ck  a  keyed  concept  class,  let 
<f>  =  {</>:  AT  —>■  A'} 
concept  oracle  RCk 
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be  a  set  of  functions  on  K  that  contains  the  identity  function  id.  A  related- 
on  query  (<f,x),  responds  with  f^k){x):  for  all  E  &  and  x  £  X. 
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An  algorithm  A  is  an  (e,  8)-<&-RK  learning  algorithm  for  a  Ck  if,  for  every  k  £  K,  when  given 
access  to  the  oracle  RK^f),  the  algorithm  A  outputs  with  probability  at  least  1  —  5  a  function 
h  :  {0,  l}n  — >  {0, 1}  that  e- approximates  /&. 

Yet  again,  we  are  able  to  demonstrate  the  limitations  of  this  model  using  the  power  of  a 
strong  type  of  pseudo-random  function.  We  show  that  related-key  secure  PRF  families  (RKA- 
PRF)  defined  and  instantiated  in  [BC10]  and  [ABPP14]  give  a  natural  concept  class  which  is  not 
learnable  with  related  key  queries.  RKA-PRFs  are  defined  with  respect  to  a  set  4>  of  functions  on 
the  set  of  PRF  keys.  Informally,  the  security  notion  guarantees  that  for  a  randomly  selected  key 
k,  no  efficient  adversary  can  distinguish  oracle  access  to  fk  and  f^^  (for  many  adaptively  chosen 
functions  (f  £  4>)  from  an  oracle  that  returns  completely  random  values.  We  leverage  this  strong 
pseudo-randomness  property  to  show  hard-to-learn  concepts  in  the  related  concept  model. 

Theorem  1.9  (Informal).  Suppose  T  is  a  family  of  RKA-PRFs  with  respect  to  related-key  functions 
4>.  If  T  is  computable  in  circuit  complexity  class  C,  then  C  is  hard  to  learn  in  the  <&' -RC  model  for 
some  4>G 

Existing  constructions  of  RKA-PRFs  [ABPP14]  yield  the  following  corollary: 

Corollary  1.10  (Informal).  Assuming  the  hardness  of  the  DDH  problem,  and  collision-resistant 
hash  functions,  NC 1  is  hard  to  4?- RC-learn  for  an  class  of  affine  functions  4?. 

The  Aggregate  Learning  Model  The  other  learning  model  we  propose  is  inspired  by  our 
aggregate  PRFs.  Here,  we  consider  a  new  extension  to  the  power  of  the  learning  algorithm.  Whereas 
membership  queries  are  of  the  form  “What  is  the  label  of  an  example  x?” ,  we  grant  the  learner  the 
power  to  request  the  evaluation  of  simple  functions  on  tuples  of  examples  (xi, ...,  xn)  such  as  “How 
many  of  xi, . . .  ,xn  are  in  C?”  or  “Compute  the  product  of  the  labels  of  x±,  ...,xn?”.  Clearly,  if 
n  is  polynomial  then  this  will  result  only  a  polynomial  gain  in  the  query  complexity  of  a  learning 
algorithm  in  the  best  case.  Instead,  we  propose  to  study  cases  when  n  may  be  super-polynomial, 
but  the  description  of  the  tuples  is  succinct.  For  example,  the  learning  algorithm  might  query  the 
number  of  x’s  in  a  large  interval  that  are  positive  examples  in  the  concept. 

As  with  the  restriction  access  and  related  concept  models  -  and  the  aggregate  PRFs  we  define 
in  this  work  -  the  Aggregate  Queries  (AQ)  learning  model  will  be  considered  with  restrictions  to 
both  the  types  of  aggregate  functions  T  the  learner  can  query,  and  the  sets  S  over  which  the  learner 
may  request  these  functions  to  be  evaluated  on.  We  now  present  the  AQ  learning  model  informally: 

Definition  1.3  ((r,  S)- Aggregate  Queries  (AQ)  Learning).  Let  C  :  X  — >  {0, 1}  be  a  concept  class, 
and  letS  be  a  collection  of  subsets  of  X.  Let  T  :  {0,1}*  — >•  V  be  an  aggregation  function.  For 
f  £  C,  let  AGG f  be  an  “aggregation’  oracle,  which  for  S  £  S,  returns  Txesf(%)-  Let  MEMf  be  the 
membership  oracle,  which  for  input  x  returns  /(x). 

An  algorithm  A  is  an  (e,5)-(T,S)-AQ  learning  algorithm  for  C  if  for  every  f  £  C, 

Pr^MEMRO^GGR.)  =  fc]  >  \  _  g 


where  h  is  an  e- approximation  to  f . 

Initially,  AQ  learning  is  reminiscent  of  learning  with  statistical  queries  (SQ).  In  fact,  this  ap¬ 
parent  connection  inspired  this  portion  of  our  work.  But  the  AQ  setting  is  in  fact  incomparable  to 
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SQ  learning,  or  even  the  weaker  “statistical  queries  that  are  independent  of  the  target”  as  defined 
in  [BF02],  On  the  one  hand,  AQ  queries  provide  a  sort  of  noiseless  variant  of  SQ,  giving  more 
power  to  the  AQ  learner;  on  the  other  hand,  the  AQ  learner  is  restricted  to  aggregating  over  sets 
in  S,  whereas  the  SQ  learner  is  not  restricted  in  this  way,  thereby  limiting  the  power  of  the  AQ 
learner.  The  AQ  setting  where  S  contains  every  subset  of  the  domain  is  indeed  a  noiseless  version 
of  “statistical  queries  independent  of  the  target,”  but  even  this  model  is  a  restricted  version  of  SQ. 
This  does  raise  the  natural  question  of  a  noiseless  version  of  SQ  and  its  variants;  hardness  results 
in  such  models  would  be  interesting  in  that  they  would  suggest  that  the  hardness  comes  not  from 
the  noise  but  from  an  inherent  loss  of  information  in  statistics/aggregates. 

We  will  show  both  a  simple  separation  from  learning  with  membership  queries  (in  the  full 
version),  and  under  cryptographic  assumptions,  a  general  lower  bound  on  the  power  of  learning 
with  aggregate  queries.  The  negative  examples  will  use  the  results  in  Section  1.1. 

Theorem  1.11.  Let  T  be  a  boolean-valued,  aggregate  PRF  with  respect  to  set  system  S  and  aggre¬ 
gation  function  T.  If  T  is  computable  in  complexity  class  C,  then  C  is  hard  to  (T,5)-A<5  learn. 

Corollary  1.12.  Using  the  results  from  Section  3,  we  get  the  following  corollaries: 

•  The  existence  of  one  way  functions  implies  that  P/poly  is  hard  to  (£j),  S[a^)-AQ  learn,  with 
<Sra  w  the  set  of  sub-intervals  of  the  domain  as  defined  in  Section  3. 

•  The  DDH  assumption  implies  that  NC 1  is  hard  to  (£0, Sya^)-AQ  learn,  with  5[a,b]  being  the 
set  of  sub-intervals  of  the  domain  as  defined  in  Section  3. 

•  The  subexponential  DDH  Assumption  implies  that  NC 1  is  hard  to  (J\,1Z)-AQ  learn,  with  TZ 
the  set  of  read-once  boolean  formulas  defined  in  Section  3. 

Open  Questions.  As  discussed  in  the  introduction,  augmented  pseudo-random  functions  often 
have  powerful  and  surprising  applications,  perhaps  the  most  recent  example  being  constrained 
PRFs  [BW13a,  KPTZ13a,  BGI14a].  Perhaps  the  most  obvious  open  question  that  emerges  from 
this  work  is  to  find  applications  for  aggregate  PRFs.  We  remark  that  a  primitive  similar  to  aggregate 
PRFs  was  used  in  [BGV11]  to  construct  delegation  protocols. 

Perhaps  a  more  immediate  concern  is  that  all  our  aggregate  PRF  constructions  (except  for 
intervals)  requires  sub-exponential  hardness  assumptions.  We  view  it  as  an  important  open  question 
to  base  these  constructions  on  polynomial  assumptions. 

In  this  work  we  restricted  our  attention  to  particular  types  of  aggregation  functions  and  subsets 
over  which  the  aggregation  takes  place,  although  our  definition  captures  more  general  scenarios. 
We  looked  at  aggregation  functions  that  compute  group  operations  over  Abelian  groups.  Can  we 
support  more  general  aggregation  functions  that  are  not  restricted  to  group  operations,  for  example 
the  majority  aggregation  function,  or  even  non-symmetric  aggregation  functions?  We  show  positive 
results  for  intervals,  hypercubes,  and  sets  recognized  by  read-once  formulas  and  decision  trees.  On 
the  other  hand,  we  show  that  it  is  unlikely  that  we  can  support  general  sets,  for  example  sets 
recognized  by  CNF  formulas.  This  almost  closes  the  gap  between  what  is  possible  and  what  is 
hard.  A  concrete  open  question  in  this  direction  is  to  construct  an  aggregate  PRF  computing 
summation  over  an  Abelian  group  for  sets  recognized  by  DNFs,  or  provide  evidence  that  this 
cannot  be  done. 
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Organization.  This  paper  is  organized  into  two  parts  that  can  be  read  essentially  independently 
of  each  other.  In  the  first  part  (Sections  2  and  3),  we  present  the  definition  and  constructions  of 
aggregate  pseudo-random  functions.  In  the  second  part  (Section  4),  we  show  connections  between 
various  notions  of  augmented  PRFs  and  their  applications  to  augmented  learning  models. 

2  Aggregate  PRF 

We  will  let  A  denote  the  security  parameter  throughout  this  paper. 

Let  T  =  {.Ta}a>o  be  a  function  family  where  each  function  /  £  Jj  maps  a  domain  V\  to  a 
range  1Z\.  An  aggregate  function  family  is  associated  with  two  objects: 

1.  an  ensemble  of  sets  S  =  {5a}a>o  where  each  S\  is  a  collection  of  subsets  of  the  domain 
S  C  V\ ;  and 

2.  an  “aggregation  function”  Ta  :  (77a)*  — >  V\  that  takes  a  tuple  of  values  from  the  range  1Z\  of 
the  function  family  and  “aggregates”  them  to  produce  a  value  in  an  output  set  Va- 

Let  us  now  make  this  notion  formal.  To  do  so,  we  will  impose  restrictions  on  the  set  ensembles 
and  the  aggregation  function.  First,  we  require  set  ensemble  S\  to  be  efficiently  recognizable.  That 
is,  there  is  a  polynomial-size  Boolean  circuit  family  C  =  {Ca}a>o  such  that  for  any  set  S  E  S\ 
there  is  a  circuit  C  =  Cs  E  C\  such  that  x  E  S  if  and  only  if  C(x)  =  1.  Second,  we  require  our 
aggregation  functions  T  to  be  efficient  in  the  length  of  its  inputs,  and  symmetric;  namely  the  output 
of  the  function  does  not  depend  on  the  order  in  which  the  inputs  are  fed  into  it.  Summation  over  an 
Abelian  group  is  an  example  of  a  possible  aggregation  function.  Third  and  finally,  elements  in  our 
sets  V a,  77 a,  and  Va  are  all  representable  in  poly(A)  bits,  and  the  functions  /  E  J-\  are  computable 
in  poly(A)  time. 

Define  the  aggregate  function  AGG  =  AGG'^ $\,Tx  that  is  indexed  by  a  function  /  E  F\,  takes  as 
input  a  set  S  E  S\  and  “aggregates”  the  values  of  f(x)  for  all  x  E  5a-  That  is,  AGG  (S')  outputs 

r(/(xi),/(®2),--.,/(s|s|)) 

where  S  =  {aq, . . . ,  X|s|}.  More  precisely,  we  have 

AGGy  ^  r^  :Sa  — >  Va 

S  ra.iesr(/(si),...,/(x|sr|)) 

We  will  furthermore  require  that  the  AGG  can  be  computed  in  poly(A)  time.  We  require  this 
in  spite  of  the  fact  that  the  sets  over  which  the  aggregation  is  done  can  be  exponentially  large! 
Clearly,  such  a  thing  is  impossible  for  a  random  function  /  but  yet,  we  will  show  how  to  construct 
pseudo-random  function  families  that  support  efficient  aggregate  evaluation.  We  will  call  such  a 
pseudo-random  function  (PRF)  family  an  aggregate  PRF  family.  In  other  words,  our  objective  is 
two  fold: 

1.  Allow  anyone  who  knows  the  (polynomial  size)  function  description  to  efficiently  compute  the 
aggregate  function  values  over  exponentially  large  sets;  but  at  the  same  time, 

2.  Ensure  that  the  function  family  is  indistinguishable  from  a  truly  random  function,  even  given 
an  oracle  that  computes  aggregate  values. 
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A  simple  example  of  aggregates  is  that  of  computing  the  summation  of  function  values  over 
sub-intervals  of  the  domain.  That  is,  let  domain  and  range  be  Zp  for  some  p  =  p{ A),  let  the 
family  of  subsets  be  S\  =  {[a,  b]  C  Zp  :  a,b  E  Zp;a  <  b},  and  the  aggregation  function  be 
rA(yi,  •  •  • ,  Uk)  =  X/?;=i  Vi  (mod  p).  In  this  case,  we  are  interested  in  computing 

AGG )AiSum(M)=  £  /(*) 

a<x<b 

We  will,  in  due  course,  show  both  constructions  and  impossibility  results  for  aggregate  PRFs,  but 
first  let  us  start  with  the  formal  definition. 

Definition  2.1  (Aggregate  PRF).  Let  T  =  {J7a}a>o  be  a  function  family  where  each  function 
f  E  F\  maps  a  domain  T>\  to  a  range  1Z\,  S  be  an  efficiently  recognizable  ensemble  of  sets  {5a}a>o? 
and  rA  :  (H\)*  —>  VA  be  an  aggregation  function.  We  say  that  T  is  an  (S,  T) -aggregate  pseu¬ 
dorandom  function  family  (also  denoted  (S,  r)-AGG-PRF)  if  there  exists  an  efficient  algorithm 
Aggregate/,  sv{S):  inPut  a  subset  S  E  S  of  the  domain,  outputs  v  E  V,  such  that 

•  Efficient  aggregation:  For  every  S  E  S.  Aggregate/,  s  r (S)  =  AGGk,s,r{S)  where  AGG k,S,r(S) 

I  ,c  v  Fk(x)67  . ~ 

•  Pseudorandomness:  For  all  probabilistic  polynomial-time  (in  security  parameter  X)  algo¬ 
rithms  A,  and  for  randomly  selected  key  k  E  K : 

I  Pr  [Afk’AGGtk*. r(iA)]_  Pr  [Ah'AGGh’s’r  (1A)]  |  <  negl(A) 
f<-Fx  h^-Ux 

where  Fix  is  the  set  of  all  functions  D\  — >  R\. 

Remark.  In  this  work,  we  restrict  our  attention  to  aggregation  functions  that  treat  the  range 
Va  =  as  an  Abelian  group  and  compute  the  group  sum  (or  product)  of  its  inputs.  We  denote 
this  setting  by  T  =  (or  f([,  respectively).  Supporting  other  types  of  aggregation  functions  (ex: 
max,  a  hash)  is  a  direction  for  future  work. 

2.1  A  General  Security  Theorem  for  Aggregate  PRFs 

How  does  the  security  of  a  function  family  in  the  AGG-PRF  game  relate  to  security  in  the  normal 
PRF  game  (in  which  A  uses  only  the  oracle  /  and  not  AGG/-)? 

In  this  section,  we  show  a  general  security  theorem  for  aggregate  pseudo-random  functions. 
Namely,  we  show  that  any  “sufficiently  secure”  PRF  is  also  aggregation-secure  (for  any  collection  of 
efficiently  recognizable  sets  and  any  group-aggregation  operation),  in  the  sense  of  Definition  2.1,  by 
way  of  an  inefficient  reduction  (with  overhead  polynomial  in  the  size  of  the  domain).  In  Section  3, 
we  will  use  this  to  construct  AGG-PRFs  from  a  subexponential-tinre  hardness  assumption  on  the 
DDH  problem.  We  also  show  that  no  such  general  reduction  can  be  efficient,  by  demonstrating 
a  PRF  family  that  is  not  aggregation-secure.  As  a  general  security  theorem  cannot  be  shown 
without  the  use  of  complexity  leveraging,  this  suggests  a  natural  direction  for  future  study:  to 
devise  constructions  for  similarly  expressive  aggregate  PRFs  from  polynomial  assumptions. 

6We  omit  subscripts  on  AGG  and  Aggregate  when  clear  from  context. 

'  AGG  is  defined  to  be  the  correct  aggregate  value,  while  Aggregate  is  the  algorithm  by  which  we  compute  the  value 
AGG.  We  make  this  distinction  because  while  a  random  function  cannot  be  efficiently  aggregated,  the  aggregate  value 
is  still  well-defined. 
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Lemma  2.1.  Let  T  =  {J7a}a>o  be  a  pseudo-random  function  family  where  each  function  f  E  P\ 
maps  a  domain  V \  to  a  range  1Z\.  Suppose  there  is  an  adversary  A  that  runs  in  time  tA  =  ^a(A) 
and  achieves  an  advantage  of  =  ca( A)  in  the  aggregate  PRF  security  game  for  the  family  F 
with  an  efficiently  recognizable  set  system  S\  and  an  aggregation  function  Ta  that  is  computable 
in  time  polynomial  in  its  input  length.  Then,  there  is  an  adversary  B  that  runs  in  time  ts  = 
tA  +  poly(A,  \T)\\)  and  achieves  an  advantage  of  cb  =  ca  in  the  standard  PRF  game  for  the  family 
T. 

Proof.  Let  fx  <—  J~\  be  a  random  function  from  the  family  F\.  We  construct  the  adversary  B  which 
is  given  access  to  an  oracle  O  which  is  either  fx  or  a  uniformly  random  function  h  :  V\  — >  1Z\. 

B  works  as  follows:  It  queries  the  PRF  on  all  inputs  x  G  T>\ ,  builds  the  function  table  Tx  of 
fx  and  runs  the  adversary  A,  responding  to  its  queries  as  follows: 

1.  Respond  to  its  PRF  query  x  G  D \  by  returning  7V[x'];  and 

2.  Respond  to  its  aggregate  query  (r,  S)  by  (a)  going  through  the  table  to  look  up  all  x  such 
that  x  G  5;  and  (b)  applying  the  aggregation  function  honestly  to  these  values. 

Finally,  when  A  halts  and  returns  a  bit  b,  B  outputs  the  bit  b  and  halts. 

B  takes  0{\T>\\)  time  to  build  the  truth  table  of  the  oracle.  For  each  aggregate  query  (r,^),  B 
first  checks  for  each  x  G  T>\  whether  x  G  S.  This  takes  \V  \\  ■  poly  (A)  time,  since  S  is  efficiently 
recognizable.  It  then  computes  the  aggregation  function  T  over  f(x)  such  that  x  G  S,  taking 
poly(|PA|)  time,  since  T  is  computable  in  time  polynomial  in  its  input  length.  The  total  time, 
therefore,  is 

tB  =  tA  +  poly(A, \VX\) 

Clearly,  when  O  is  the  pseudo-random  function  fx,  B  simulates  an  aggregatable  PRF  oracle 
to  A,  and  when  O  is  a  random  function,  B  simulates  an  aggregate  random  oracle  to  A.  Thus,  B 
has  the  same  advantage  in  the  PRF  game  as  A  does  in  the  aggregate  PRF  game.  □ 

The  above  gives  an  inefficient  reduction  from  the  PRF  security  of  a  function  family  T  to  the 
AGG-PRF  security  of  the  same  family  running  in  time  polynomial  in  the  size  of  the  domain.  Can 
this  reduction  be  made  efficient;  that  is,  can  we  replace  ts  =  tA  +  poly(A)  into  the  Lemma  2.1? 

This  is  not  possible.  Such  a  reduction  would  imply  that  every  PRF  family  that  supports 
efficient  aggregate  functionality  AGG  is  AGG-PRF  secure;  this  is  clearly  false.  Take  for  example  a 
pseudorandom  function  family  Pq  =  {/  :  Z2 p  -A  Zp}  such  that  for  all  /,  there  is  no  x  with  f(x)  =  0. 
It  is  possible  to  construct  such  a  pseudorandom  function  family  Pq  (under  the  standard  definition). 
While  0  is  not  in  the  image  of  any  /  G  Fo,  a  random  function  with  the  same  domain  and  range  will, 
with  high  probability,  have  0  in  the  image.  For  an  aggregation  oracle  AGG  f  computing  products 
over  Zp:  AGG/-(Z2P)  /  0  if  /  G  Po,  while  AGGj(Z2P)  =  0  with  high  probability  for  random  /. 

Thus,  access  to  aggregates  for  products  over  Zp8  would  allow  an  adversary  to  trivially  distinguish 
/  G  J-q  from  a  truly  random  map. 

8 Taken  with  respect  to  a  set  ensemble  S  containing,  as  an  element,  the  whole  domain  Ji2P.  While  this  is  not 
necessary  (a  sufficiently  large  subset  would  suffice),  it  is  the  case  for  the  ensembles  S  we  consider  in  this  work. 
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2.2  Impossibility  of  Aggregate  PRF  for  General  Sets 

It  is  natural  to  ask  whether  whether  an  aggregate  PRF  might  be  constructed  for  more  general  sets 
than  we  present  in  Section  3.  There  we  constructed  aggregate  PRF  for  the  sets  of  all  satisfying 
assignments  for  read-once  boolean  formula  and  decision  trees.  As  we  show  in  the  following,  it  is 
impossible  to  extend  this  to  support  the  set  of  satisfying  assignmnets  for  more  general  circuits. 

Theorem  2.2.  Suppose  there  is  an  algorithm  that  has  a  PRF  description  K,  a  circuit  C ,  and  a 
fixed  aggregation  rule  (sum  over  a  finite  field,  say),  and  outputs  the  aggregate  value 

Y  m®) 

x:C(x)= 1 


Then,  there  is  an  algorithm  that  takes  circuits  C  as  input  and  w.h.p.  over  it  coins,  decides  the 
satisfiability  of  C . 

Proof.  The  algorithm  for  SAT  simply  runs  the  aggregator  with  a  randomly  chosen  K ,  and  outputs 
YES  if  and  only  if  the  aggregator  returns  1.  The  rationale  is  that  if  the  formula  is  unsatisfiable, 
you  will  always  get  0  from  the  aggregator.9  Otherwise,  you  will  get  fpfix),  where  x  is  the  satisfying 
assignment.  (More  generally,  X)x-c?(x)=i  Now,  this  might  end  up  being  0  accidentally,  but 

cannot  be  0  always  since  otherwise,  you  will  get  a  PRF  distinguisher.  The  distinguisher  has  the 
satisfying  assignment  hardcoded  into  it  non- uniformly, 10  and  it  simply  checks  if  fx(x)  =  0.  □ 

This  impossibility  result  can  be  generalized  for  efficient  aggregation  of  functions  that  are  not 
pseudo-random.  For  instance,  if  f(x)  =  1  was  the  constant  function  1,  the  same  computing  the 
aggregate  over  /  satisfying  inputs  to  C  would  not  only  reveal  the  satisfiability  of  C,  but  even  the 
number  of  satisfying  assignments!  In  the  PRF  setting  though,  it  seems  that  aggregates  only  reveal 
the  (un) satisfiability  of  a  circuit  C,  but  not  the  number  of  satisfying  assignments.  Further  studying 
the  relationship  between  the  (not  necessarily  pseudo-random)  function  /,  the  circuit  representation 
of  C,  and  the  tractability  of  computing  aggregates  is  an  interesting  direction.  A  negative  result  for  a 
class  for  which  satisfiability  (or  even  counting  assignments)  is  tractable  would  be  very  interesting. 

3  Constructions  of  aggregate  PRF 

In  this  section,  we  show  several  constructions  of  aggregate  PRFs.  In  Section  3.1,  we  show  as  a 
warm-up  a  generic  construction  of  aggregate  PRFs  for  intervals  (where  the  aggregation  is  any  group 
operation).  This  construction  is  black-box:  given  any  PRF  with  the  appropriate  domain  and  range, 
we  construct  a  related  family  of  aggregate  PRFs  and  with  no  loss  in  security.  In  Section  3.2,  we 
show  a  construction  of  aggregate  PRFs  for  products  over  bit-fixing  sets  (hypercubes),  from  a  strong 
decisional  Diffie-Hellman  assumption.  We  then  generalize  the  DDH  construction:  in  Section  3.3,  to 
the  class  of  sets  recognized  by  polynomial-size  decision  trees;  and  in  Section  3.4,  to  sets  recognized 
by  read-once  Boolean  formulas.  In  these  last  three  constructions,  we  make  use  of  Lemma  2.1  to 
argue  security. 

9This  proof  may  be  extended  to  the  case  when  the  algorithm’s  output  is  not  restricted  to  be  0  when  the  input 
circuit  C  is  unsatisfiable,  and  even  arbitrary  outputs  for  sufficiently  expressive  classes  of  circuits. 

10 As  pointed  out  by  one  reviewer,  for  sufficiently  expressive  classes  of  circuits  C,  this  argument  can  be  made 
uniform.  Specifically,  we  use  distinguish  the  challenge  y  from  a  pseudo-random  generator  from  random  by  choosing 
C  :=  Cy  that  is  satisfiable  if  and  only  if  y  is  in  the  PRG  image,  and  modify  the  remainder  of  the  argument  accordingly. 
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3.1  Generic  Construction  for  Interval  Sets 

Our  first  construction  is  from  [GGN10]11.  The  construction  is  entirely  black-box:  from  any  appro¬ 
priate  PRF  family  Q,  we  construct  a  related  AGG-PRF  family  T .  Unlike  the  proofs  in  the  sequel, 
this  reduction  exactly  preserves  the  security  of  the  starting  PRF. 

Let  Q\  =  {gx  ■  %n(\)  R\}k£1Cx  be  a  PRF  family,  with  R  =  R\  being  a  group  where 
the  group  operation  is  denoted  by  ©12.  We  construct  an  aggregatable  PRF  F\  =  {/ k}k£/cx 
for  which  we  can  efficiently  compute  summation  of  fx{x)  for  all  x  in  an  interval  [a,  b\,  for  any 
a  <  b  G  Zn.  Let  <S[a,b]  =  {[a,  b]  C  Zn  :  a,  6  £  Zn;a  <  b}  be  the  set  of  all  interval  subsets  of  Zn, 
[a,!)]  =  {ieZ„:a<i<  6}.  Define  T  =  {fx  ■  Z n  — >  R}xeic  as  follows: 

fK(x)  =  I  9k{0)  :x  =  0 

\  gxix)  ©  gK(x  -  1)  :x/0 

Lemma  3.1.  Assuming  that  Q  is  a  pseudo-random  function  family,  T  is  a  (5ra  w  ■  ®)~ aggregate 
pseudo-random  function  family. 

Proof.  It  follows  immediately  from  the  definition  of  fx  that  one  can  compute  the  summation  of 
fx(x)  over  any  interval  [a,  b].  Indeed,  rearranging  the  definition  yields 


fh'(x)  =  gK{b)  and  ^  fx(x)  =  gK{b)  ©  ~gx{a  -  1) 

i£[0,f)]  x£[a,b] 

We  reduce  the  pseudo-randomness  of  T  to  that  of  Q.  The  key  observation  is  that  each  query 
to  the  fx  oracle  as  well  as  the  aggregation  oracle  for  fx  can  be  answered  using  at  most  two  black¬ 
box  calls  to  the  underlying  function  gx ■  By  assumption  on  Q,  replacing  the  oracle  for  gx  with 
a  uniformly  random  function  h  :  Zn  — >  R  is  computationally  indistinguishable.  Furthermore,  the 
function  /  defined  by  replacing  g  by  h,  namely 


f  /i(0)  :  x  =  0 

\  h(x)  ©  h(x  —  1)  :  x  /  0 


is  a  truly  random  function.  Thus,  the  simulated  oracle  with  gx  replaced  by  h  implements  a 
uniformly  random  function  that  supports  aggregate  queries.  Security  according  to  Definition  2.1 
follows  immediately.  □ 

Another  construction  from  the  same  work  achieves  summation  over  the  integers  for  PRFs  whose 
range  is  {0, 1}.  We  omit  the  details  of  the  construction,  but  state  the  theorem  for  completeness. 

Theorem  3.2  (Integer  summation  over  intervals,  from  one-way  functions  [GGN10]).  Assume  one¬ 
way  functions  exist.  Then,  there  exists  an  ^2) -AGG-PRF  family  that  maps  Z2a  to  {0,1}, 

where  'Yf  denotes  summation  over  Z. 

nSee  Example  3.1  and  Footnote  18 

12The  only  structure  of  we  us  is  the  total  order.  Our  construction  directly  applies  to  any  finite,  totally-ordered 
domain  D  by  first  mapping  D  to  Z n,  preserving  order. 
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3.2  Bit-Fixing  Aggregate  PRF  from  DDH 

We  now  construct  an  aggregate  PRF  computing  products  for  bit-fixing  sets.  Informally,  our  PRF 
will  have  domain  {0, 1  }Polv(x) ^  and  support  aggregation  over  sets  like  {x  :  x\  =  0  A®2  =  1 AX7  =  0}. 
We  will  naturally  represent  such  sets  by  a  string  in  {0,  l,*}poly(A)  with  0  and  1  indicating  a  fixed 
bit  location,  and  *  indicating  a  free  bit  location.  We  call  each  such  set  a  ‘hypercube.’  The  PRF 
will  have  a  multiplicative  group  Q  as  its  range,  and  the  aggregate  functionality  will  compute  group 
products. 

Our  PRF  is  exactly  the  Naor- Reingold  PRF  [NR04],  for  which  we  demonstrate  efficient  aggre¬ 
gation  and  security.  We  begin  by  stating  the  decisional  DifBe-Hellman  assumption. 

Let  Q  =  {£?a}a>o  be  a  family  of  groups  of  order  p  =  p{ A).  The  decisional  Diffie-Hellman 
assumption  for  Q  says  that  the  following  two  ensembles  are  computationally  indistinguishable: 

{(^a i9,ga^gb,9ab) '■  G<—Qy,  gt-G]  a,  6^— Zp}A>0 

~c  {{G,g,ga,gb1gc)  :  G  Qy,  g  G;  a,b,c<r-  Z P}A>0 

We  say  that  the  (t( A),  e(A))-DDH  assumption  holds  if  for  every  adversary  running  in  time  t( A),  the 
advantage  in  distinguishing  between  the  two  distributions  above  is  at  most  e(A). 


3.2.1  Construction 


Let  Q  =  {<?a}a>o  be  a  family  of  groups  of  order  p  =  p{ A),  each  with  a  canonical  generator  g, 
for  which  the  decisional  Diffie  Heilman  (DDH)  problem  is  hard.  Let  l  =  £(A)  be  a  polynomial 
function.  We  will  construct  a  PRF  family  J-g  =  {J:£ia}a>o  where  each  function  /  G  J-gt\  maps 
{0, 1}AA)  to  Q\.  Our  PRF  family  is  exactly  the  Naor- Reingold  PRF  [NR04].  Namely,  each  function 
/  is  parametrized  by  t  +  1  numbers  K  :=  ( Kq ,  K\, . . . ,  Kg),  where  each  Ki  G  Z p. 


(xi , . . . ,  xg)  =  g ho  n^=i  K<- 1  =  gK° 


Ki 


e  Q\ 


The  aggregation  algorithm  Aggregate  for  bit-hxing  functions  gets  as  input  the  PRF  key  K  and  a 
bit-fixing  string  y  G  {0, 1,*}^  and  does  the  following: 


Define  the  strings  K[  as  follows: 


K'  = 


1  if  yt  =  0 

K  if  Vi  =  1 

1  +  Ki  otherwise 


•  Output  gK°  n»=i  K'i  as  the  answer  to  the  aggregate  query. 

Letting  HC  =  {HCg^} a>o  where  HCg  =  {0, 1,*}^  is  the  set  of  hypercubes  on  {0, 1}^,  we  now  prove 
the  following: 

Theorem  3.3.  Let  e  >  0  be  a  constant,  choose  the  security  parameter  A  =  LL{ll'e),  and  assume  the 
(2A£,  2~x^) -hardness  of  DDH  over  the  group  Q.  Then,  the  collection  of  functions  T  defined  above  is 
a  secure  aggregate  PRF  with  respect  to  the  subsets  HC  and  the  product  aggregation  function  over 

g. 
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Correctness.  We  show  that  the  answer  we  computed  for  an  aggregate  query  y  E  {0,1,  is 
correct.  Define  the  sets 

Match(y)  :=  {x  E  {0, 1}A  :  Vz,  yt  =  *  or  x,  =  y*}  and  Fixed(y)  :=  {i  E  [A]  :  yt  E  {0, 1}} 

Thus,  Match  (y)  is  the  set  of  all  0-1  strings  x  that  match  all  the  fixed  locations  of  y,  but  can  take 
any  value  on  the  wildcard  locations  of  y.  Fixed (y)  is  the  set  of  all  locations  i  where  the  bit  yi  is 


Note  that: 

AGG (K,y)  =  Fixe Match(j/)  fx(x) 

(by  definition  of  AGG) 

=  rUMatc  h(y)9K°^K" 

(by  definition  of  fg) 

=  gKo  XLgMatch(j/)  ni=l  Ki  1 

—  0^o(nieFixed(v)^  )  '  (  HiG[^]\Fixed(y) 

(inverting  sums  and  products) 

=  gKo  TlLlK'i 

(by  definition  of  K'f) 

=  Aggregated ,  y) 

(by  definition  of  Aggregate) 

Security.  We  will  rely  on  the  following  theorem  from  [NR04], 

Theorem  3.4  (Theorem  4.1,  [NR04]).  Suppose  there  is  an  adversary  A  that  runs  in  time  t( A)  and 
has  an  advantage  of  7(A)  in  the  ( regular )  PRF  game.  Then,  there  is  an  adversary  B  that  runs  in 
time  poly(A)  •  t(X)  and  breaks  the  DDH  assumption  with  advantage 

The  aggregate  PRF  security  proof  proceeds  as  follows.  First,  we  choose  the  security  parameter 
A  =  as  in  the  theorem  statement.  We  use  Lemma  2.1  to  conclude  that  if  there  is  an 

adversary  distinguisher  D  breaking  the  aggregate  PRF  security  of  T  in  poly(A)  time  with  l/poly(A) 
advantage,  then  there  is  an  adversary  A  that  breaks  the  regular  PRF  security  of  T  in  poly(A)-2°^  = 
poly(A)  •  2a  =  2°(At)  time  with  l/poly(A)  advantage.  Using  Theorem  3.4  now  tells  us  that  there  is 
an  adversary  B  that  wins  the  DDH  distinguishing  game  in  2°(A3  time  with  l/poly(A)  advantage, 
breaking  the  subexponential  DDH  assumption.  This  establishes  the  aggregate  security  of  the  PRF 
and  thus  Theorem  3.3. 

Obtaining  a  security  proof  based  on  polynomial  assumptions  is  an  interesting  open  question. 

3.3  Decision  Trees 

We  generalize  the  previous  construction  from  DDH  to  support  sets  specified  by  polynomial-sized 
decision  trees  by  observing  that  such  decision  trees  can  be  written  as  disjoint  unions  of  hypercubes. 

A  decision  tree  family  7a  of  size  p{ A)  over  £(X)  variables  consists  of  binary  trees  with  at  most 
p( A)  nodes,  where  each  internal  node  is  labeled  with  a  variable  x*  for  i  E  [F],  the  two  outgoing 
edges  of  an  internal  node  are  labeled  0  and  1,  and  the  leaves  are  labeled  with  0  or  1.  On  input 
an  x  E  {0, 1}  ,  the  computation  of  the  decision  tree  starts  from  the  root,  and  upon  reaching  an 
internal  node  n  labeled  by  a  variable  Xj,  takes  either  the  0-outgoing  edge  or  the  1-outgoing  edge 
out  of  the  node  n,  depending  on  whether  x,;  is  0  or  1,  respectively. 

We  now  show  how  to  construct  a  PRF  family  =  {7^,a}a>o  where  each  consists  of 
functions  that  map  T>\  :=  {0, 1}£  to  a  group  that  supports  aggregation  over  sets  recognized  by 
decision  trees.  That  is,  let  S\  =  {S  C  {0, 1 Y  '■  3  a  decision  tree  T$  E  7a  that  recognizes  S}. 

Our  construction  uses  a  hypercube-aggregate  PRF  family  J-l  as  a  sub-routine.  First,  we  need 
the  following  simple  lemma. 
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Lemma  3.5  (Decision  Trees  as  Disjoint  Unions  of  Hypercubes).  Let  S  C  {0,  l}e  be  recognized  by  a 
decision  tree  Tg  of  size  p  =  p( A) .  Then,  S  is  a  disjoint  union  of  at  most  p  hybercubes  Hyi , . . . ,  Hyp , 
where  each  yi  £  {0, 1,*}^  and  HVi  =  Match(r/j).  Furthermore,  given  Tg,  one  can  in  polynomial  time 
compute  these  hypercubes. 

Given  the  lemma,  Aggregate  is  simple:  on  input  a  set  S  represented  by  a  decision  tree  Tg,  com¬ 
pute  the  disjoint  hypercubes  Hyi, . . .  ,HVp.  Run  the  hypercube  aggregation  algorithm  to  compute 

9i  «-  Aggregatejr(iv,  yi) 


and  outputs  g  :  =  nf=i  9i- 

Basing  the  construction  on  the  hypercube-aggregate  PRF  scheme  from  Section  3.2,  we  get  a 
decision  tree-aggregate  PRF  based  on  the  sub-exponential  DDH  assumption.  The  security  of  this 
PRF  follows  from  Lemma  2.1  by  an  argument  identical  to  the  one  in  Section  3.2. 

3.4  Read-once  formulas 

Read-once  boolean  formula  provide  a  different  generalization  of  hypercubes  and  they  too  admit  an 
efficient  aggregation  algorithm  for  the  Naor-Reingold  PRF,  with  a  similar  security  guarantee. 

A  boolean  formula  on  i  variables  is  a  circuit  on  x  =  {x\, . . .  ,xf)  £  {0, 1 Y  composed  of  only 
AND,  OR,  and  NOT  gates.  A  read-once  boolean  formula  is  a  boolean  formula  with  fan-out  1, 
namely  each  input  literal  feeds  into  at  most  one  gate,  and  each  gate  output  feeds  into  at  most  one 
other  gate.13  Let  R\  be  the  family  of  all  read-once  boolean  formulas  over  f(A)  variables.  Without 
loss  of  generality,  we  restrict  these  circuits  to  be  in  a  standard  form:  namely,  composed  of  fan-in  2 
and  fan-out  1  AND  and  OR  gates,  and  any  NOT  gates  occurring  at  the  inputs. 

In  this  form,  the  circuit  for  any  read-once  boolean  formula  can  be  identified  with  a  labelled 
binary  tree;  we  identify  a  formula  by  the  label  of  its  root  C$.  Nodes  with  zero  children  are 
variables  or  their  negation,  labelled  by  Xi  or  Xj,  while  all  other  nodes  have  2  children  and  represent 
gates  with  fan-in  2.  For  such  a  node  with  label  C,  its  children  have  labels  Cl  and  Cr.  Note  that 
each  child  is  itself  a  read-once  boolean  formula  on  fewer  inputs,  and  their  inputs  are  disjoint  Let 
the  gate  type  of  a  node  C  be  type(C)  £  {AND,  OR}. 

We  describe  a  recursive  aggregation  algorithm  for  computing  products  of  PRF  values  over  all 
accepting  inputs  for  a  given  read-once  boolean  formula  C^.  Looking  forward,  we  require  the  formula 
to  be  read-once  in  order  for  the  recursion  to  be  correct.  The  algorithm  described  reduces  to  that 
of  Section  3.2  in  the  case  where  f  describes  a  hypercube. 

3.4.1  Construction 

The  aggregation  algorithm  for  read-once  Boolean  formulas  takes  as  input  the  PRF  key  K  = 
(Kq,  . . . ,  Kf)  and  a  formula  C $  £  R\  where  only  reads  the  variables  xi, ... ,  xm  for  some  m  <  i. 
We  abuse  notation  and  interpret  C </,  to  be  a  formula  on  both  {0, 1}^  and  {0,  l}m  in  the  natural  way. 

13We  allow  a  formula  to  ignore  some  inputs  variables;  this  enables  the  model  to  express  hypercubes  directly. 
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(1) 


AGG,.n(C0)=  ;Q  gK°  n*eM  K? 

x:Cc/>(x)= 1 

_  gK°  'K,x:Ctj>(x)  =  1  IL<=[£]  Ki  1 

=  ffJro-A(^1i)-nro<i<<(i+^i) 


(2) 

(3) 


where  we  define  A(C,  1)  :=  £{xG{o,i}™:C(*)=i}  n,eH  iff’.  If  A(C,  1)  is  efficiently  computable,  then 
Aggregate  will  simply  compute  it  and  return  (3).  To  this  end,  we  provide  a  recursive  procedure  for 
computing  A{C,  1). 

Generalizing  the  definition  for  any  sub- formula  C  with  variables  named  x\  to  xm .  define  the 
values  A(C,  0)  and  A(C,  1): 


A(C,b):=  J2  II  K?- 

{xe{0,l}m:  C(x)=b}  iG[m] 

Recursively  compute  A(C,  b )  as  follows: 


•  If  C  is  a  literal  for  variable  Xj,  then  by  definition: 


A(C,  b) 


Ki  if  C  =  Xi 
1  if  C  =  X{ 


•  Else,  if  type(C)  =  AND:  Let  Cl  and  Cr  be  the  children  of  C.  By  hypothesis,  we  can 
recursively  compute  A(Cl ,  b)  and  A(Cr,  b)  for  b  6  {0, 1}.  Compute  A{C,  b)  as: 

A(C,  1)  =  A(Cl,  1)  •  A(Cr,  1) 

A(C,  0)  =  A(Cl,  0)  •  A(Cr,  0)  +  A(Cl,  1)  •  A(Cr,  0)  +  A(CL,  0)  •  A(CR,  1) 


•  Else,  type((7)  =  OR:  Let  Cl  and  Cr  be  the  children  of  C.  By  hypothesis,  we  can  recursively 
compute  A(Cl,  b)  and  A(Cr,  b )  for  b  £  {0, 1}.  Compute  A(C,  b )  as: 

A(C,  1)  =  A(Cl,  1)  •  A(Cr,  1)  +  A(Cl,  1)  •  A(Cr,  0)  +  A(Cl,  0)  •  A(CR,  1) 

A(C,0)  =  A(Cl,0)  ■  A(Cr,0)) 

Lemma  3.6.  A(C,b)  as  computed  above  is  equal  to  Z]{a:e{o,i}m:  C(x)=b}  Ilie[m] 

Proof.  For  C  a  literal,  the  correctness  is  immediate.  We  must  check  the  recursion  for  each  type(C)  £ 
{AND,  OR}  and  b  £  {0, 1}.  We  only  show  the  case  for  6  =  1  when  C  is  an  OR  gate;  the  other 
three  cases  can  be  shown  similarly. 

Let  SbL,bR  =  {x  =  (xL,xR)  :  (Cl(xl),Cr(xr)  =  (bL,bR)}  be  the  set  of  inputs  (xL,xR)  to  C 
such  that  Cl(xl)  =  6l  and  Cr{xr)  =  bR.  The  set  {x  :  C(x)  =  1}  can  be  decomposed  into  the 
disjoint  union  5'oj  U  >Sj.t)  U  Sj,i .  Furthermore, 

hc,i)=  v  n  Kr+  e  n  at*  +  e  n  rt 

xGSo,i  i£  [m]  zeSi.o  is  [m]  xGSi.i  i£  [m] 

Because  C  is  read-once,  the  sets  of  inputs  on  which  Cl  and  Cr  depend  are  disjoint;  this  implies 
that  A(Cl,  bL)  ■  A(Cr,  bR)  =  YlxeSbL,bR  ]lje[m]  Kfl ,  yielding  the  desired  recursion.  □ 
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Theorem  3.7.  Let  e  >  0  be  a  constant,  choose  the  security  parameter  A  =  ^(F1/6),  and  assume 
(2Ae,  2~x‘) -hardness  of  the  DDH  assumption.  Then,  the  collection  of  functions  F\  defined  above  is 
a  secure  aggregate  PRF  with  respect  to  the  subsets  R\  and  the  product  aggregation  function  over 
the  group  Q . 

Proof.  Correctness  is  immediate  from  Lemma  3.6,  and  Equation  (3).  Security  follows  from  the 
decisional  Diffie-Hellman  assumption  in  much  the  same  way  it  did  in  the  case  of  bit-fixing  functions. 

□ 


4  Connection  to  Learning 

4.1  Preliminaries 

Notation:  For  a  probability  distribution  D  over  a  set  X,  we  denote  by  x  <—  D  to  mean  that  x  is 
sampled  according  to  D,  and  x  •(—  X  to  denote  uniform  sampling  form  X.  For  an  algorithm  A  and 
a  function  O,  we  denote  that  A  has  oracle  access  to  O  by  AP^'\ 

We  recall  the  definition  of  a  “concept  class”.  In  this  section,  we  will  often  need  to  explicitly 
reason  about  the  representations  of  the  concept  classes  discussed.  Therefore  we  make  use  of  the 
notion  of  a  “representation  class”  as  defined  by  [KV94]  alongside  that  of  concept  classes.  This 
unified  formalization  enables  us  to  discuss  both  these  traditional  learning  models  (namely,  PAC 
and  learning  with  membership  queries)  as  well  as  the  new  models  we  present  below.  Our  definitions 
are  parametrized  by  A  G  N.14 

Definition  4.1  (Representation  class  [KV94]).  Let  K  =  {X'a}a(=n  be  a  family  of  sets,  where  each 
k  G  K\  has  description  in  {0,  for  some  polynomial  Sfc(-).  Let  X  =  {Xa}aeN  be  a  set,  where 

each  X\  is  called  a  domain  and  each  x  G  X\  has  description  in  {0,  for  some  polynomial 

sx(-).  With  each  A  and  each  k  G  K\,  we  associate  a  Boolean  function  f),  :  X\  — >  {0,1}. 15  We 
call  each  such  function  /&  a  concept,  and  k  its  index  or  its  description.  For  each  X,  we  define  the 
concept  class  C\  =  {ff.  :  k  G  K\}  to  be  the  set  of  all  concepts  with  index  in  K\.  We  define  the 
representation  class  C  =  {Ca}  to  be  the  union  of  all  concept  classes  C\. 

This  formalization  allows  us  to  easily  associate  complexity  classes  with  concepts  in  learning 
theory.  For  example,  to  capture  the  set  of  all  DNF  formulas  on  A  inputs  with  size  at  most  p{ A)  for 
a  polynomial  p,  we  will  let  X\  =  {0, 1}A,  and  be  the  set  of  descriptions  of  all  DNF  formulas 

on  A  variables  with  size  at  most  p{ A)  under  some  reasonable  representation.  Then  a  concept  fk(x) 
evaluates  the  formula  k  on  input  x.  Finally,  DNF({<A-  =  {  f),  :  k  6  is  the  concept  class,  and 

DNFP^  =  {DIVF^^} asN-  DNFP is  the  representation  class  that  computes  all  DNF  formulas 
on  A  variables  with  description  of  size  at  most  p( A)  in  the  given  representation. 

As  a  final  observation,  note  that  a  Boolean-valued  PRF  family  T  =  {.Fa}  where  T\  =  {/&  : 
X\  — >  {0, 1}}  with  keyspace  K  =  {K\}  and  domain  X  =  {Xa}  satisfies  the  syntax  of  a  represen¬ 
tation  class  as  defined  above.  This  formalization  is  useful  precisely  because  it  captures  both  PRF 
families  and  complexity  classes,  enabling  lower  bounds  in  various  learning  models. 

In  proving  lower  bounds  for  learning  representation  classes,  it  will  be  convenient  to  have  a 
notion  of  containment  for  two  representation  classes. 

14When  clear  from  the  context,  we  will  omit  the  subscript  A. 

15  This  association  is  an  efficient  procedure  for  evaluating  fk  ■  Concretely,  we  might  consider  that  there  is  a  universal 
circuit  F\  such  that  for  each  A,  /*,(■)  =  Fx(fe,  •)• 
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Definition  4.2  (C).  For  two  representation  classes  T  =  {.Fa}  and  Q  =  {G\}  on  the  same  domain 
X  =  {Xa},  and  with  indexing  sets  I  =  {/a}  and  K  =  {K\}  respectively,  we  say  T  C  Q  if  for  all 
sufficiently  large  X,  for  all  i  G  I\,  there  exists  k  G  K\  such  that  =  f. 

Informally,  if  a  representation  class  contains  a  PRF  family,  then  this  class  is  hard  to  MQ-learn 
(as  in  [Val84]).  We  apply  similar  reasoning  to  more  powerful  learning  models.  For  example,  if  Q  is 
the  representation  class  DNFP ^  as  defined  above,  then  T  C  DNFP ^  is  equivalent  to  saying  that 
for  all  sufficiently  large  A,  the  concept  class  F\  can  be  decided  by  a  DNF  on  A  inputs  of  p( A)  size. 

We  now  recall  some  standard  definitions. 

Definition  4.3  (e-approximation).  Let  f,h  :  X  — >•  {0,1}  be  arbitrary  functions.  We  say  h  e- 
approximates  /  if  Prx^x[h(x)  f  f(x)]  <  e. 

In  general,  e-approximation  is  considered  under  a  general  distribution  on  X ,  but  we  will  consider 
only  the  uniform  distribution  in  this  work. 

Definition  4.4  ( PAC  learning).  For  a  concept  f  :  X\  — >  {0, 1},  and  a  probability  distribution 
D\  over  X\,  the  example  oracle  EX(f ,  D\)  takes  no  input  and  returns  (x,  f(x))  for  x  <—  D\.  An 
algorithm  A  is  an  (e,  5)-PAC  learning  algorithm  for  representation  class  C  if  for  all  sufficiently  large 
X,  e  =  e(A)  >  0,  5  =  <5(A)  >  0  and  f  G  Ca, 

Fi-[Aex^’Dx^  =  h  :  h  is  an  e- approximation  to  f]  >  1  —  5 

Definition  4.5  (MQ  learning).  For  a  concept  f  :  X\  — >  {0, 1},  the  membership  oracle  MEM(f) 
takes  as  input  a  point  x  G  X\  and  returns  f(x).  An  algorithm  A  is  an  (e,  5)-MQ  learning  algorithm 
for  representation  class  C  if  for  all  sufficiently  large  A,  e  =  e(A)  >  0,  5  =  5( A)  >  0,  and  f  G  C\, 

Fr[AMEM ^  =  h  :  h  is  an  e- approximation  to  f]  >  1  —  6 

We  consider  only  PAC  learning  with  uniform  examples ,  where  D\  is  the  uniform  distribution 
over  X\.  In  this  case,  MQ  is  strictly  stronger  than  PAC:  everything  that  is  PAC  learnable  is  MQ 
learnable. 

Observe  that  for  any  /  :  X\  -»  {0,1},  either  h(x)  =  0  or  h(x)  =  1  will  ^-approximate  /. 
Furthermore,  if  A  is  inefficient,  /  may  be  learned  exactly.  For  a  learning  algorithm  to  be  non¬ 
trivial,  we  require  that  it  is  efficient  in  A,  and  that  it  at  least  weakly  learns  C. 

Definition  4.6  (Efficient-  and  weak-  learning). 

•  A  is  said  to  be  efficient  if  the  time  complexity  of  A  and  h  are  polynomial  in  1/e,  l/<5,  and  X. 

•  A  is  said  to  weakly  learn  C  if  there  exist  some  polynomials  pe(X),ps(X)  for  which  e  <  | 

and  5  <  1  —  . 

-  ps(\) 

•  We  say  a  representation  class  is  learnable  if  it  is  both  efficiently  and  weakly  learnable.  Oth¬ 
erwise,  it  is  hard  to  learn. 

Lastly,  we  recall  the  efficiently  recognizable  ensembles  of  sets  as  defined  in  Section  2.  We 
occasionally  call  such  ensembles  indexed,  or  succinct.  Throughout  this  section,  we  require  this 
property  of  our  set  ensembles  S.  Both  the  MQra  and  AQ  learning  models  that  we  present  are 
defined  with  respect  to  S  =  {5a},  an  efficiently  recognizable  ensemble  of  subsets  of  the  domain  X\. 
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4.2  Membership  queries  with  restriction  access 

In  the  PAC-with- Restriction  Access  model  of  learning  of  Dvir,  et  al  [DRWY12],  a  powerful  gener¬ 
alization  of  PAC  learning  is  studied:  rather  than  receiving  random  examples  of  the  form  (x,  f(x)) 
for  the  concept  /,  the  learning  algorithm  receives  a  random  ’’restriction”  of  /  -  an  implementation 
of  the  concept  for  a  subset  of  the  domain.  Given  this  implementation  of  the  restricted  concept,  the 
learning  algorithm  can  both  evaluate  /  on  many  related  inputs,  and  study  the  properties  of  the 
restricted  implementation  itself.  We  consider  an  even  stronger  setting:  instead  of  receiving  random 
restrictions,  the  learner  can  adaptively  request  any  restriction  from  a  specified  class  S.  We  call  this 
model  membership  queries  with  restriction  access  (MQra). 

As  a  concrete  example  to  help  motivate  and  understand  the  definitions,  we  consider  DNF 
formulas.  For  a  DNF  formula  f>,  a  natural  restriction  might  set  the  values  of  some  of  the  variables. 
Consequently,  some  literals  and  clauses  may  have  their  values  determined,  yielding  a  simpler  DNF 
formula  ft  which  agrees  with  f>  on  this  restricted  domain.  This  is  the  ‘restricted  concept’  that  the 
learner  receives. 

This  model  is  quite  powerful;  indeed,  decision  trees  and  DNFs  are  efficiently  learnable  in  the 
PAC-with-restriction-access  learning  model  whereas  neither  is  known  to  be  learnable  in  plain  PAC 
model  [DRWY12],  Might  this  access  model  be  too  powerful  or  are  there  concepts  that  cannot  be 
learned? 

Looking  forward,  we  will  show  that  constrained  PRFs  correspond  to  hard-to- learn  concepts  in 
the  MQnAlearning  model.  In  the  remainder,  we  will  formally  define  the  learning  model,  define 
constrained  PRFs,  and  prove  the  main  lower  bound  of  this  section. 

4.2.1  MQ^Alearning 

While  the  original  restriction  access  model  only  discusses  restrictions  fixing  individual  input  bits 
for  a  circuit,  we  consider  more  general  notions  of  restrictions. 

Definition  4.7  (Restriction).  For  a  concept  f  :  X\  — >  {0, 1},  a  restriction  S  C  X\  is  a  subset  of 
the  domain.  The  restricted  concept  f\g  :  S  — >-{0,1}  is  equal  to  f  on  S. 

While  general  restrictions  can  be  studied,  we  consider  the  setting  in  which  all  restrictions  S  are 
in  a  specified  set  of  restrictions  S.  For  a  DNF  formula  <f,  a  restriction  might  be  S  =  {x  :  x\  = 
1  A  X4  =  0}.  This  restriction  is  contained  in  the  set  of  ‘bit-fixing’  restrictions  in  which  individual 
input  bits  are  fixed.  In  fact,  this  class  of  restrictions  is  all  that  is  considered  in  [DRWY12];  we 
generalize  their  model  by  allowing  more  general  classes  of  restrictions. 

In  the  previous  example,  a  restricted  DNF  can  be  naturally  represented  as  another  DNF.  More 
generally,  we  allow  a  learning  algorithm  to  receive  representations  of  restricted  concepts.  These 
representations  are  computed  according  to  a  Simplification  Rule.16 

Definition  4.8  (Simplification  Rule).  For  each  A,  let  C\  =  {/&  :  X\  — >  {0, 1 } } fee be  a  concept 
class,  S\  an  efficiently  recognizable  ensemble  of  subsets  of  X\,  and  S  G  S\  be  a  restriction.  A 
simplification  of  fk  G  C\  according  to  S  is  the  description  ks  G  K\  of  a  concept  fxs  such  that 
fks  =  fk\s ■  A  simplification  rule  for  C  =  {Ca}  and  S  =  {5a}  is  a  mapping  SimpA  :  (k,  S )  (->•  kg  for 
all  k  G  K\,  S  G  S\. 

16  Whereas  a  DNF  with  some  fixed  input  bits  is  naturally  represented  by  a  smaller  DNF,  wehen  considering  general 
representation  classes  and  general  restrictions,  this  is  not  always  the  case.  Indeed,  the  simplification  of  /  according 
to  S  may  be  in  fact  more  complex.  We  use  the  term  “Simplification  Rule”  for  compatibility  with  [DRWY12]. 
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In  the  PAC-learning  with  restriction  access  ( PACra )  learning  model  considered  in  [DRWY12], 
the  learner  only  receives  random  restrictions.  Instead,  we  consider  the  setting  where  the  learner  can 
adaptively  request  any  restriction  from  a  specified  class  S.  This  model  -  which  we  call  membership 
queries  learning  with  restriction  access  (MQra)  -  is  a  strict  generalization  of  PACra  for  efficiently 
samplable  distributions  over  restrictions  (including  all  the  positive  results  in  [DRWY12]).  Further 
observe  that  this  strictly  generalizes  the  membership  oracle  of  MQ  learning  if  S  is  such  that  for 
each  x,  it  is  easy  to  find  a  restriction  S  covering  x. 

In  traditional  learning  models  (PAC,  MQ)  it  is  trivial  to  output  a  hypothesis  that  ^  -  approximates 
any  concept  /;  a  successful  learning  algorithm  is  required  to  learn  substantially  more  than  half  of 
the  concept.  With  restriction  queries,  the  learning  algorithm  is  explicitly  given  the  power  to  com¬ 
pute  on  some  fraction  a  of  the  domain.  Consequently,  outputting  an  e  >  ( ^approximation  to 
/  is  trivial;  we  require  a  successful  learning  algorithm  to  do  substantially  better.  This  reasoning  is 
reflected  in  the  definition  of  weak  MQj^a learning  below. 

Definition  4.9  (Membership  queries  with  restriction  access  (MQra))-  In  a  given  execution  of 
an  oracle  algorithm  A  with  access  to  a  restriction  oracle  Simp,  let  X$  C  X\  be  the  union  of  all 
restrictions  S  E  S\  queried  by  A.  S  is  an  efficiently  recognizable  ensemble  of  subsets  of  the  domain 
Xx. 

An  algorithm  A  is  an  (e,  5,  o)-MQra  learning  algorithm  for  representation  class  C  with  respect 
to  a  restrictions  in  S  and  simplification  rule  Simp  if  for  all  sufficiently  large  A,  for  every  /&  E  C\, 
Pr[_4S|mp(Av)  =  h\  >  1  —  5  where  h  is  an  e- approximation  to  f ,  -  and  furthermore  -  |Xg|  <  a|AA|. 

A  is  said  to  weakly  MQ^-learn  if  a  <  1  —  p  p,,  e  <  (1  —  a)(^  —  5  <  1  —  for  some 

polynomials  PonPeiPS- 

4.2.2  Constrained  PRFs 

We  look  to  constrained  pseudorandom  functions  for  hard-to-learn  concepts  in  the  restriction  access 
model.  To  support  the  extra  power  of  the  restriction  access  model,  our  PRFs  will  need  to  allow 
efficient  evaluation  on  restrictions  of  the  domain  while  maintaining  some  hardness  on  the  remainder. 
Constrained  PRFs  [KPTZ13a,  BGI14a,  BW13a]  provide  just  this  power.  For  showing  hardness  of 
restriction  access  learning,  the  constrained  keys  will  correspond  to  restricted  concepts;  the  strong 
pseudorandomness  property  will  give  the  hardness  result. 

Definition:  Syntax  A  family  of  functions  T  =  {F\  :  K\  x  X\  — >  Y\}  is  said  to  be  constrained 
with  respect  to  a  set  system  S,  if  it  supports  the  additional  efficient  algorithms: 

•  Constrain\(k,  S):  A  randomized  algorithm,  on  input  ( k ,  S)  E  K\  x  S\ ,  outputs  a  constrained 
key  ks ■  We  K\  =  Support(Constrain(k,  S))  the  set  of  all  constrained  keys. 

•  Eval\(ks,  x):  A  deterministic  algorithms  taking  input  ( ks,x )  E  K\  x  X\,  and  satisfying  the 
following  correctness  guarantee: 

Eval(Constrain(k,  S),  x)  =  {  fftL 


Definition:  Security  Game 


C  picks  a  random  key  k  E  K\  and  initializes  two  empty  subsets  of  the  domain:  C,  V  =  0.  C 
and  V  are  subsets  of  X\  which  must  satisfy  the  invariant  that  Cnk  =  0.  C  will  keep  track 
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the  inputs  x  E  X\  to  the  Challenge  oracle,  and  V  will  be  the  union  of  all  sets  S  queries  to 
Constrain  plus  all  points  x  E  X\  to  the  Eva  I  oracle. 

•  C  picks  b  E  {0, 1}  to  run  EXP(b),  and  exposes  the  following  three  oracles  to  A  : 

Eval(x):  On  input  x  E  X\,  outputs  F(k,x).  EeEU  {x}. 

Constrain(S):  On  input  S  E  S\,  outputs  ks-  V  -C—  W  U  S. 

Challenge(x):  On  input  x  E  X\,  outputs: 

F(k,x)  in  EXP(O) 
y<-Yx  in  EXP(l)  ' 

In  EXP(l),  the  responses  to  Challenge  are  selected  uniformly  at  random  from  the  range,  with 
the  requirement  that  the  responses  be  consistent  for  identical  inputs  x. 

•  The  adversary  queries  the  oracles  with  the  requirement  that  Cflk  =  0,  and  outputs  a  bit 

b'e{  o,i}. 

Definition  4.10.  The  advantage  is  defined  as  ADVfPRi<  (A)  :=  Pr[£/  =  b]  in  the  above 
security  game. 

Definition  4.11  (Constrained  PRF  (cPRF)).  A  family  of  functions  T  =  {F\  :  K\  x  X\  — > 
Y\}  constrained  with  respect  to  S  is  a  constrained  PRF  if  for  all  probabilistic  polynomial-time 
adversaries  A  and  for  all  sufficiently  large  A  and  all  polynomials  p(n ) : 

OT"(  ax^  +  Tj, 

over  the  randomness  of  C  and  A. 

4.2.3  Hardness  of  restriction  access  Learning 

We  will  now  prove  that  if  a  constrained  PRF  T  with  respect  to  set  system  S  is  computable  in 
representation  class  C,  then  C  hard  to  MQuA-learn  with  respect  to  S  and  some  simplification  rule. 

Theorem  4.1.  Let  T  =  {^a}  be  a  Boolean-valued  constrained  PRF  (also  interpreted  as  a  represen¬ 
tation  class)  with  respect  to  sets  S  and  key-space  K.  Let  EV AL  =  {EVAL\}  be  a  representation 
class  where  each  EV AL\  is  defined  as: 

EVALX  =  {gks(-)  :  9ks(x )  =  PRF.Eval(fcs,x)}. 

Namely,  each  concept  in  the  class  EVALx  is  indexed  by  ks  E  Kx  and  has  Xx  as  its  domain.  For 
any  representation  class  C  =  {Ca}  such  that  T  C  C  and  EV  AL  C  C,  there  exists  a  simplification 
rule  Simp  such  that  C  is  hard  to  MQ^A-l^arn  with  respect  to  the  set  of  restrictions  S  and  the 
simplification  rule  Simp. 

Existing  constructions  of  constrained  PRFs  [BW13a]  yield  the  following  corollaries: 
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Corollary  4.2.  Let  n  =  n( A)  be  a  polynomial,  and  assume  that  for  the  n  +  1  -MDDH  problem, 
every  adversary  time  poly(A)  the  advantage  is  at  most  e(A)/2n.  Then  there  is  a  simplification  rule 
such  that  NC 1  is  hard  to  MQRA-learn  with  respect  to  restrictions  in  TLC17 . 


Corollary  4.3.  Assuming  the  existence  of  one-way  functions,  there  is  a  simplification  rule  such 
that  P/poly  is  hard  to  MQuA-learn  with  respect  to  restrictions  in  5^]  18 . 

Remarks:  The  Simplification  Rule  here  is  really  the  crux  of  the  issue.  In  our  theorem,  there 
exists  a  simplification  rule  under  which  we  get  a  hardness  result.  This  may  seem  somewhat  artificial. 
On  the  other  hand,  this  implies  that  the  restriction-access  learnability  (whether  PAC-  or  MQ-RA) 
of  a  concept  class  crucially  depends  on  the  simplification  rule,  as  the  trivial  simplification  rule  of 
Simp(k,  S)  =  k  admits  a  trivial  learning-algorithm  in  either  setting.  This  work  reinforces  that  the 
choice  simplification  rule  can  affect  the  learnability  of  a  given  representation  class.  Positive  results 
for  restriction  access  learning  that  were  independent  of  the  representation  would  be  interesting. 


Proof  of  Theorem  4-1.  We  interpret  T  =  {P\\  as  a  representation  class.  For  each  A,  the  concepts 
fk  G  P\  are  indexed  by  K\  and  have  domain  X\.  Let  EV AL  =  {EV  AL\}  be  a  representation  class 
defined  as  in  the  theorem  statement.  The  indexing  set  for  EV AL\  is  K\,  the  set  of  constrained 
keys  ks  for  k  G  K\,  S  E  S\. 

Let  C  =  {Ca}  be  a  representation  class,  with  domain  X\  and  indexing  set  I\.  For  i  G  I\,  Ci  is  a 
concept  in  C\. 

By  hypothesis,  T  C  C:  for  sufficiently  large  A,  for  all  k  G  K\  there  exists  i  G  I\  such  that 
Ci  =  fk-  Similarly,  for  all  ks  G  K\  there  exists  *  G  I\  such  that  q  =  Eval\(ks ,  •)•  For  concreteness, 
let  M\  be  this  map  from  K\  U  K\  to  I\.19 

We  can  now  specify  the  simplification  rule  SimpA  :  I\  x  S\  — >•  I\.  Letting  M\(K\)  C  JA  be  the 
image  of  K\  under  M\\ 


SimpA(z,  S) 


M\(Constrain\(Mx  1(i),  S))  if  i  G  M\(K\) 
i  otherwise. 


For  example,  i  may  be  a  circuit  computing  the  PRF  fk  for  some  k  =  M~l{i).  The  simplifica¬ 
tion  computes  the  circuit  corresponding  to  a  constrained  PRF  key,  if  the  starting  circuit  already 
computes  a  member  of  the  PRF  family  P\.20 

Reduction:  Suppose,  for  contradiction,  that  there  exists  an  such  an  efficient  learning  algorithm 
A  for  C  as  in  the  statement  of  the  theorem.  We  construct  algorithm  B  breaking  the  constrained 
PRF  security.  In  the  PRF  security  game,  B  is  presented  with  the  oracles  /&(•),  Constrain\(k,  •), 
and  Challenge a(-),  for  some  k  <—  K\.  Run  A,  and  answer  queries  S  G  S\  to  the  restriction  oracle 
by  querying  Constrain\{k ,  S),  receiving  ks,  and  returning  M\(ks)-  Once  A  terminates,  it  outputs 
hypothesis  h.  By  assumption  on  A,  with  probability  at  least  1  —  <5  >  ,  the  hypothesis  h  is  an 

e- approximation  of  CM(k)  =  fk  with  e  <  anc[  a  <  \  _  ^  1  . 

After  receiving  hypothesis  h,  B  estimates  the  probability  Prx^x\.Ys [h{x)  =  Challenge a(x)].  In 
EXP(O),  this  probability  is  at  least  1  —  e  with  probability  at  least  1  —  5;  in  EXP(l),  it  is  exactly  1/2. 

17as  defined  in  Section  3. 

18as  defined  in  Section  3. 

19  This  is  a  non-uniform  reduction. 

20Note  that  while  the  inverse  map  AR"1  may  be  inefficient,  in  our  reduction,  the  concept  in  question  is  represented 
by  a  PRF  key  k.  Thus  B  must  only  compute  the  forward  map  M\. 
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To  sample  uniform  x  £  X\X$,  we  simply  take  a  uniform  iGl:  with  probability  1  —  a  >  l/pa(n), 
x  £  X\Xg-  Thus,  B  runs  in  expected  polynomial  time.  If  the  estimate  is  close  to  e,  guess  EXP(O); 
otherwise,  flip  an  fair  coin  b'  £  {0, 1}  and  guess  EXP(6/).  The  advantage  ADVfPRF  of  B  in  the 
PRF  security  game  is  at  least  3^yy  for  all  sufficiently  large  A  (see  Analysis  for  details),  directly 
violating  the  security  of  F . 

Analysis:  Let  pb  =  P^xex\xs  [M*x)  7^  Challenge\(x)\EXP(b)\  be  the  probability  taken  with 
respect  to  experiment  EXP(b).  In  EXP(l),  Challenge\  is  a  uniformly  random  function.  Thus, 
P\  =  \-  With  high  probability,  B  will  output  a  random  bit  b'  £  {0,1},  guessing  correctly  with 
probability  1/2. 

In  EXP(O),  h  is  an  e-approximation  to  // ,  and  thus  to  Challenge\ ,  with  probability  at  least 

1  —  5.  In  this  case,  p®  >  1  —  e  >  i  -t - fry.  By  a  Hoeffding  bound,  B  will  guess  b'  =  0  with  high 

probability  by  estimating  p  using  only  polynomial  in  X,pe(X)  samples.  On  the  other  hand,  if  h  is 
not  an  e-approximation,  B  will  b'  =  0  with  probability  at  least  1/2. 

Let  negl(X)  be  the  error  probability  from  the  Hoeffding  bound,  which  can  be  made  exponentially 
small  in  A.  The  success  probability  is:  Pr[6  =  b'\b  =  0]  >  (1  —  <5)(1  —  negl(X))  +  f  which,  for 
1  —  <5  >  is  at  least  +  \  for  sufficiently  large  A.  Thus  B  a  non- negligible  advantage  of 
1  /3p(5(A)  in  the  constrained  PRF  security  game.  □ 

4.3  Learning  with  related  concepts 

The  idea  that  some  functions  or  concepts  are  related  to  one  another  is  very  natural.  For  a  DNF 
formula,  for  instance,  related  concepts  may  include  formulas  where  a  clause  has  been  added  or 
formulas  where  the  roles  of  two  variables  are  swapped.  For  a  decision  tree,  we  could  consider 
removing  some  accepting  leaves  and  examining  the  resulting  behavior.  We  might  consider  a  circuit; 
related  circuits  might  alter  internal  gates  or  fix  the  values  of  specific  input  or  internal  wires. 

Formally,  we  consider  indexed  representation  classes.  As  discussed  in  the  preliminaries,  general 
classes  of  functions  are  easily  represented  as  a  indexed  family.  For  example,  we  may  consider  the  bit 
representation  of  a  function  (say,  a  log-depth  circuit)  as  an  index  into  a  whole  class  (AC1).  This 
formalism  enables  the  study  of  related  concepts  by  instead  considering  concepts  whose  keys  are 
related  in  some  way.  The  related  concept  setting  shares  an  important  property  with  the  restriction 
access  setting:  different  representations  of  the  same  functions  might  have  very  different  properties. 
Exploring  the  properties  of  different  representations  -  and  perhaps  their  RC  learnability  as  defined 
below  -  is  a  direction  for  future  work. 

In  our  model  of  learning  with  related  concepts,  we  allow  the  learner  to  query  a  membership 
oracle  for  the  concept  //  £  C\  and  also  for  some  ‘related’  concepts  f<p(k)  £  Ca  f°r  some  functions  <p. 
The  related- concept  deriving  (RCD)  function  (f>  is  restricted  to  be  from  a  specified  class,  4>a-  For 
each  cj)  £  4>a,  a  learner  can  access  the  membership  oracle  for  f^fuy  For  example:  let  K\  =  {0, 1}A 
and  let 

4>®  =  {(j) A  :  k  i->  k  ©  A}Ae{0  1}A  (4) 

Definition  4.12  (<L-Related-Concept  Learning  Model).  For  C  a  representation  class  indexed  by 
{K\},  let  $  =  {4^},  with  each  4A  =  {<j>  :  K\  — »•  K\}  a  set  of  functions  on  K\  containing  the 
identity  function  Ma-  The  related- concept  oracle  RCk,  on  query  (<fi,x),  responds  with  fM)(x)>  for 
all  cp  £  4? a  and  x  £  X\. 

An  algorithm  A  is  an  ( e,8)-&-RC  learning  algorithm  for  a  C  if,  for  all  sufficiently  large  X,  for 
every  k  £  K\,  Pr[ARKk^','l  =  h]  >  1  —  5  where  h  is  an  e- approximation  // . 
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Studying  the  related-concept  learnability  of  standard  representation  classes  (ex:  DNFs  and 
decision  trees)  under  different  RCD  classes  <f>  is  an  interesting  direction  for  future  study. 

4.3.1  RKA  PRFs 

Again  we  look  to  pseudorandom  functions  for  hard-to-learn  concepts.  To  support  the  extra  power  of 
the  related  concept  model,  our  PRFs  will  need  to  maintain  their  pseudorandomness  even  when  the 
PRF  adversary  has  access  to  the  function  computed  with  related  keys.  Related- key  secure  PRFs 
[BC10,  ABPP14]  provide  just  this  guarantee.  As  in  the  definition  of  RC  learning,  the  security  of 
related- key  PRFs  is  given  with  respect  to  a  class  <h  of  related- key  deriving  functions.  As  we  describe 
in  the  remainder  of  the  section,  related- key  secure  PRFs  prove  hard  to  weakly  <h-RC  learn. 
Definition:  Security  Game 

Let  <f>A  C  Fun(K\, K\)  be  a  subset  of  functions  on  K\.  The  set  <h  =  {<h;sj  is  called  the 
Related-Key  Deriving  (RKD)  class  and  each  function  (f>  G  4* a  is  an  RKD  function. 

•  C  picks  a  random  key  k  G  K\,  a  bit  b  G  {0, 1},  and  exposes  the  oracle  according  to  EXP(b): 

RKFn/\(0,  x):  On  input  (<f>,x)  G  4*^  x  X\,  outputs: 

F(cf>(k),x)  in  EXP(O) 
y^Yx  in  EXP(l)  ' 

In  EXP(l),  the  responses  to  RKFn,\  are  selected  uniformly  at  random  from  the  range,  with 
the  requirement  that  the  responses  be  consistent  for  identical  inputs  ((f),  x). 

•  The  adversary  interacts  with  the  oracle,  and  outputs  a  bit  b'  G  {0, 1}. 

Definition  4.13.  The  advantage  is  defined  as  ADV?~rka( A)  :=  Pr [br  =  6]  in  the  above 
security  game. 

Definition  4.14  (<f>  Related-key  attack  PRF  (<f>-RKA-PRF)).  Let  T  =  {F\  :  I\\  x  X\  — >■  Y\}  be 
family  of  functions  and  let  <h  =  {4>a}  with  each  C  Fun(K\,  K\)  be  a  set  of  functions  on  K\.  F 
is  a  <h  related-key  attack  PRF  family  if  for  all  probabilistic  polynomial-time  adversaries  A  and  for 
all  sufficiently  large  A  and  all  polynomials  p(n): 

ADVtRKA( A)  <  H  t- r j 

2  pyn) 

over  the  randomness  of  C  and  A. 

4.3.2  Hardness  of  related  concept  learning 

In  the  Appendix  C,  we  present  a  concept  that  can  be  RC-learned  under  <f>®  (Equation  4),  but  is 
hard  to  weakly  learn  with  access  to  membership  queries.  We  construct  the  concept  T  from  a  PRF 
Q  and  a  PRP  P.  Informally,  the  construction  works  by  hardcoding  the  the  PRF  key  in  the  function 
values  on  a  related  PRF.  With  the  appropriate  related-concept  access,  a  learner  can  learn  the  PRF 
key. 

We  now  present  a  general  theorem  relating  RKA-PRFs  to  hardness  of  RC  learning.  This 
connection  yields  hardness  for  a  class  C  with  respect  to  restricted  classes  of  relation  functions  4>. 
More  general  hardness  results  will  require  new  techniques. 
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Theorem  4.4.  Let  T  be  a  boolean-valued,  ^-RKA-PRF  with  respect  to  related-key  deriving  class 
<F  and  key  space  K .  For  a  representation  class  C,  if  T  C  C,  then  there  exists  an  related- concept 
deriving  class  4/  such  that  C  is  hard  to  'I i-RC . 

As  a  corollary,  we  get  a  lower  bound  coming  from  the  RKA-PRF  literature.  For  a  group  ( G ,  +), 
and  K  =  Gm,  define  the  the  element-wise  addition  RKD  functions  as 


=  {<M  :  k[  1], . . . ,  k[m]  >-)•  fc[l]  +  A[l], . . . ,  k[m]  +  A[m]}AeGm  (5) 


Notice  that  ‘F™  directly  generalizes  <F®  with  G  =  Z2.  For  this  natural  RKD  function  family,  we 
are  able  to  provide  a  strong  lower  bound  based  on  the  hardness  of  DDH  and  the  existence  of 
collision-resistant  hash  functions  using  the  RKA-PRF  constructions  from  [ABPP14], 


Corollary  4.5  (Negative  Result  from  RKA-PRF).  If  the  DDH  assumption  holds  and  collision- 
resistant  hash  functions  exist  NC 1  is  hard  to  Q'ff-RKA-learn. 

Proof  of  Theorem  4-4-  We  interpret  F  =  {JA}  as  a  representation  class.  For  each  A,  the  concepts 
fk  £  F\  are  indexed  by  K\  and  have  domain  X\.  Let  C  =  {Ca}  be  a  representation  class,  with 
domain  X\  and  indexing  set  I\.  For  i  £  I\,  a  is  a  concept  in  C\. 

By  hypothesis,  J7  C  C:  for  sufficiently  large  A,  for  all  k  £  K\  there  exists  i  £  I\  such  that 
Cj  =  fk-  For  concreteness,  let  M\  be  this  map  from  I\\  to  I\ ,21 

We  can  now  specify  the  RCD  class  \Fa  :  I\  -4  I\.  Let  M\(K\)  C  Ix  be  the  image  of  K\  under 
M\.  We  define  4/ ^  :  £  <Fa}: 


Mx  o  (j>  o  Mfl(i)  if  i  £  M\(K\) 
i  otherwise. 


Reduction:  Suppose,  for  contradiction,  that  there  exists  an  efficient  'F-RC  learning  algorithm  A 
for  C  as  in  the  statement  of  the  theorem.  We  construct  algorithm  B  breaking  the  <F-RKA-PRF 
security  of  T .  In  the  PRF  security  game,  B  is  presented  with  the  oracle  RKFn(-,  •);  A  is  presented 
with  the  oracle  RC{ •,  •)■  Run  A.  and  answer  queries  £  'Fa  x  X\  to  RC  by  querying  RKFn 

on  ((f),  x)  and  passing  the  response  along  to  A.  Let  X4  =  {x  £  X\  :  A  queried  (if),x)  for  some  if)}- 
Once  A  terminates,  it  outputs  hypothesis  h.  In  EXP(O),  RKFnQ  responds  according  to  fk  for 
some  k  £  KX,  in  this  case,  B  simulates  the  RC  oracle  for  the  concept  CM(k)- 

After  receiving  hypothesis  h,  B  estimates  the  probability  Pxx<-x\xA[h(x)  =  RKFn\(x)\.  In 
EXP(O),  this  probability  is  at  least  1  —  e  with  probability  at  least  1  —  5;  in  EXP(l),  it  is  exactly 
1/2.  To  sample  uniform  x  £  X  \  X _4,  we  simply  take  a  uniform  x  £  X:  with  high  probability 
x  £  X  \  X4.  If  the  estimate  is  close  to  e,  guess  EXP(O);  otherwise,  flip  an  fair  coin  b'  £  (0, 1}  and 
guess  EXP(6/).  The  advantage  ADV^~rka  of  B  in  the  PRF  security  game  is  at  least  (see 

Analysis  for  details)  for  all  sufficiently  large  A,  directly  violating  the  security  of  T . 

Analysis:  Let  pb  =  Prxex\xA  [h(x)  A  RKFn(id\,  x)\EX P(b)\  be  the  probability  taken  with 
respect  to  experiment  EXP(b).  In  EXP(l),  RKFn  is  a  uniformly  random  function.  Thus,  p\  = 
With  high  probability,  B  will  output  a  random  bit  b'  £  {0, 1},  guessing  correctly  with  probability 
1/2. 

In  EXP(O),  h  is  an  e-approximation  to  RKFn( id,  •)  with  probability  at  least  1  —  5.  In  this  case, 
po  >  1  — e  >  \  +  ^jx)-  By  a  Hoeffding  bound,  B  will  guess  b'  =  0  with  high  probability  by  estimating 

21  This  is  a  non-uniform  reduction  in  general,  but  in  most  cases,  the  map  M  is  known.  That  is,  M\  is  the  map 
that  takes  a  key  and  outputs  a  circuit  computing  the  function. 
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p  using  only  polynomial  in  X,pe(X)  samples.  On  the  other  hand,  if  h  is  not  an  e-approximation,  B 
will  b'  =  0  with  probability  at  least  1/2. 

Let  negl(X)  be  the  error  probability  from  the  Hoeffding  bound,  which  can  be  made  exponentially 
small  in  A.  The  success  probability  is:  Pr[6  =  b'\b  =  0]  >  (1  —  <5)(1  —  negl(X))  +  |  which,  for 
1  —  6  >  is  at  least  3p*  +  \  for  sufficiently  large  A.  Thus  B  a  non- negligible  advantage  of 

l/3p<5(A)  in  the  4>-RKA-PRF  security  game.  □ 

Proof.  For  n  €  N  let  G  =  (g)  be  a  group  of  prime  order  p  =  p(n),  Xn  =  {0,  l}”1*-""'  \  {0n}, 
Kn  =  Z™(n),  and  define  F/.(x)  as  in  Theorem  4.5  of  [Abdalla]  ().  Let  </>+  be  as  above  over  K.  □ 

4.4  Learning  with  Aggregate  Queries 

This  computational  learning  model  is  inspired  by  our  aggregate  PRFs.  Rather  than  being  a  natural 
model  in  its  own  right,  this  model  further  illustrates  how  cryptography  and  learning  are  in  some 
senses  duals.  Here,  we  consider  a  new  extension  to  the  power  of  the  learning  algorithm.  Whereas 
membership  queries  are  of  the  form  “What  is  the  label  of  an  example  x?” ,  we  grant  the  learner  the 
power  to  request  the  evaluation  of  simple  functions  on  tuples  of  examples  (aq, ...,  xQ  such  as  “How 
many  of  {x\...Xk)  are  in  C?”  or  “Compute  the  product  of  the  labels  of  (aq, ...,  xQ?” .  Clearly,  if 
k  is  polynomial  then  this  will  result  only  a  polynomial  gain  in  the  query  complexity  of  a  learning 
algorithm  in  the  best  case.  Instead,  we  propose  to  study  cases  when  k  may  be  super  polynomial, 
but  the  description  of  the  tuples  is  succinct.  For  example,  the  learning  algorithm  might  query  the 
number  of  x’s  in  a  large  interval  that  are  positive  examples  in  the  concept. 

As  with  the  restriction  access  and  related  concept  models  -  and  the  aggregate  PRFs  we  define 
in  this  work  -  the  Aggregate  Queries  (AQ)  learning  model  will  be  considered  with  restrictions  to 
both  the  types  of  aggregate  functions  T  the  learner  can  query,  and  the  sets  S  over  which  the  learner 
may  request  these  functions  to  be  evaluated  on.  We  now  present  the  AQ  learning  model  informally: 

Definition  4.15  ((T,  5)-Aggregate  Queries  (AQ)  Learning).  Let  C  be  a  representation  class  with 
domains  X  =  {X\},  and  S  =  {5a}  where  each  S\  is  a  collection  of  efficiently  recognizeable  subsets 
of  the  X\.  T  :  {0, 1}*  —¥  V\  be  an  aggregation  function  [as  in  def:].  Let  AGG^  =  AGG^kSx  Fa  be  the 
aggregation  oracle  for  /*.  E  C\,  for  S  E  S\  and  r>. 

An  algorithm  A  is  an  (e,  <5)-(r,  S)-AQ  learning  algorithm  for  C  if,  for  all  sufficiently  large  X, 
for  every  fk  E  Ca>  Pr [AMEMfk^  ^,AGG4^  *  =  h\  >  1  —  <5  where  h  is  an  e- approximation  to  fk- 

4.4.1  Hardness  of  aggregate  query  learning 

Theorem  4.6.  Let  T  be  a  boolean-valued  aggregate  PRF  with  respect  to  set  system  S  =  {5a} 
and  accumulation  function  V  =  {Ta}.  For  a  representation  class  C,  if  F  C  C,  then  C  is  hard  to 
(r,5)-A<5  learn. 

Looking  back  to  our  constructions  of  aggregate  pseudorandom  function  families  from  the  pre¬ 
quel,  we  have  the  following  corollaries. 

Corollary  4.7.  The  existence  of  one-way  functions  implies  that  P/poly  is  hard  to  (Xa  S[a,b])-AQ 
learn,  with  5[ajb]  the  set  of  sub-intervals  of  the  domain  as  defined  in  Section  3. 

Corollary  4.8.  The  DDH  Assumption  implies  that  NC 1  is  hard  to  (^),  Sta  u)-AQ  learn,  with  5raw 
the  set  of  sub-intervals  of  the  domain  as  defined  in  Section  3. 
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Corollary  4.9.  The  subexponential  DDH  Assumption  implies  that  NC 1  is  hard  to  (IL  TZ)-AQ 
learn,  with  1Z  the  set  of  read-once  boolean  formulas  defined  in  Section  3. 

Proof  of  Theorem  f.6.  Interpreting  T  itself  as  a  concept  class,  we  will  show  an  efficient  reduction 
from  violating  the  pseudorandomness  property  of  T  to  weakly  (T,5)-AQ  learning  T .  By  assump¬ 
tion,  JCC,  implying  that  C  is  hard  to  learn  as  well. 

Reduction:  Suppose  for  contradiction  that  there  exists  an  efficient  weak  learning  algorithm  A  for 
T .  We  define  algorithm  B  violating  the  aggregate  PRF  security  of  T .  In  the  PRF  security  game, 
B  is  presented  with  two  oracles:  F(-)  and  AGGp  for  a  function  F  chosen  according  to  the  secret 
bit  b  G  {0, 1}.  In  EXP(O),  F  =  f\.  for  random  k  G  K\;  by  assumption  ,//  G  C\.  In  EXP(l),  F  is  a 
uniformly  random  function  from  X  to  {0, 1}.  The  learning  algorithm  A  is  presented  with  precisely 
the  same  oracles.  B  runs  A,  simulating  its  oracles  by  passing  queries  and  responses  to  its  own 
oracles.  Xj±  =  {x  G  X\  :  A  queried  for  some  iJj}.  Once  A  terminates,  it  outputs  hypothesis 

h. 

After  receiving  hypothesis  h,  B  estimates  the  probability 

P=  Pf  [Kx)  =  F(x)] 

xZr-X\X^ 

(using  polynomial  in  A,pe(A)  samples).  In  EXP(O),  this  probability  is  at  least  1  —  e  with  probability 
at  least  1  —  <5;  in  EXP(l),  it  is  exactly  1/2.  To  sample  uniform  x  G  X  \  X4,  we  simply  take  a 
uniform  x  G  X:  with  high  probability  x  G  X  \  A/4.  If  the  estimate  is  close  to  e,  guess  EXP(O); 
otherwise,  flip  an  fair  coin  b'  G  {0, 1}  and  guess  EXP(6/).  The  advantage  ADV^PRF  of  B  in  the 
PRF  security  game  is  at  least  3p^ny  for  all  sufficiently  large  A  (as  shown  below),  directly  violating 
the  security  of  T . 

Let 

Pb=  Pr  [h{x)  A  F(x)\EXP(b)} 

x£X\Xa 

be  the  probability  taken  with  respect  to  experiment  EXP(b).  In  EXP(l),  F  is  a  uniformly  random 
function.  Thus,  p\  =  With  high  probability,  B  will  output  a  random  bit  b'  G  {0,1},  guessing 
correctly  with  probability  1/2. 

In  EXP(O),  h  is  an  e- approximation  to  F  with  probability  at  least  1  —  5.  In  this  case,  po  > 
1  —  e  >  \  +  p  .  By  a  Hoeffding  bound,  B  will  guess  b'  =  0  with  high  probability  by  estimating 
p  using  only  polynomial  in  A,pe(A)  samples.  On  the  other  hand,  if  h  is  not  an  e-approximation,  B 
will  b'  =  0  with  probability  at  least  1/2. 

Let  negl(A)  be  the  error  probability  from  the  Hoeffding  bound,  which  can  be  made  exponentially 
small  in  A.  The  success  probability  is: 

Pr [b  =  b'\b  =  0]  >  (1  —  <5)(1  -  negl(A))  +  ^ 

which,  for  1  —  5  >  is  at  least  3p^  +  ^  for  sufficiently  large  A.  Thus  B  a  non-negligible 

advantage  of  1/3 Pstx)  in  the  (r,  5)-aggregate-PRF  security  game.  □ 
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A  Simple  Positive  Results 

In  the  following,  we  present  examples  of  concept  classes  separating  the  Related  Concept  and  Ag¬ 
gregate  Query  learning  models  from  learning  with  Membership  Queries.  We  emphasize  that  the 
learnability  of  many  traditional  concept  classes  in  these  models  has  not  been  studied,  and  more 
general  positive  results  may  exist.  In  order  to  exhibit  separations,  we  present  generic,  contrived 
constructions  from  simple  cryptographic  primitives  to  exhibit  our  separations.  In  each  case,  a  MQ 
learner  cannot  succeed  better  than  a  trivial  algorithm,  while  the  stronger  model  manages  to  exactly, 
and  properly  learn  the  function. 

A.l  Related-concept 

While  some  existing  pseudorandom  functions  are  known  to  suffer  from  related-key  attacks  [BK03] , 
these  vulnerabilities  do  not  seem  directly  useful  for  a  proper  learning  algorithm.  Instead  we  con¬ 
struct  a  family  of  PRFs  for  which  the  secret  key  can  be  recovered  under  related- key  attacks. 

We  demonstrate  a  concept  that  can  be  RC-learned  under  additive  (defined  below),  but  is 
hard  to  weakly  learn  with  access  to  membership  queries.  We  construct  the  concept  J-  from  a  PRF 
Q  and  a  PRP  P.  Informally,  the  construction  works  by  hardcoding  the  the  PRF  key  in  the  function 
values  under  a  related  PRF  key.  With  the  appropriate  related-key  access,  a  learner  can  learn  the 
PRF  key. 

Let  Q  =  {Gk  :  Z2a  — >  {0,  Y}}k&K  be  a  PRF  with  keyspace  K  =  {0, 1}A  and  let  P  =  {it  :  K  -»  K} 
be  a  pseudorandom  permutation  family  on  K.  For  each  gj.  6  Qk  and  n  E  P,  we  define  the  following 
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function: 


(  xth  bit  of  (ir(k)  ©  k)  if  x  E  [0,  A  —  1] 

Fk,ir  =  <  {x  —  A)th  bit  of  n^1(k)  if  x  E  [A,  2A  —  1] 

[  gk{x)  otherwise 

Let  T  =  {Fk,ir  '■  k  E  K,n  E  P}.  We  interpret  F  as  a  keyed  concept  with  elements  indexed  by  a 
pairs  (k,  7 r). 

We  need  to  choose  a  RKD  class  4>  that  will  enable  recovery  of  the  PRF  key  k  by  accessing  the 
PRF  for  key  ir(k)  ©  k.  We  choose  $  =  <f>®  from  Section  4.3.1: 

4>®  =  {4> a  :  k  k  ©  A}a eK 

Note  that  in  that  section,  we  prove  a  negative  result  for  a  strictly  stronger  RC  adversary,  but  with 
a  different  concept  class. 

Theorem  A.l  (Separating  RC  and  MQ).  The  keyed  concept  F  defined  above  can  be  (efficiently) 
exactly  <F® -RC -learned,  but  is  hard  to  even  weakly  MQ  learn  efficiently. 

Proof.  Let  E  Fn- 

<F®-RC  Learning:  Let  RCk )7r  be  the  related-concept  oracle,  taking  queries  (cj>,  x )  E  4?®  x  Z2a 
and  returning  F(p^  7T(x).  Define  A  E  K  such  that  A [i]  =  FkiX(i)  for  all  i  E  [A  —  1];  compute  the 
ith  bit  by  querying  the  oracle  at  (id,  i),  where  id  =  0A  is  the  identity  function.  By  construction, 
k  ©  A  =  7 r(k).  Let  k!  E  K  such  that  k'[i]  =  FA*)  *+a  for  all  i  E  [A  —  1];  we  find  bit  k'[i\  by  querying 
((f> a,  i  +  A).  By  construction,  k'  =  7r_1(7r(fc))  =  k.  Given  the  PRF  key  k,  we  may  compute  F fci7r  on 
all  inputs  in  X  \  [2A  —  1] ;  simply  querying  those  remaining  points  yields  an  exact  characterization 
of  Ffe)7r. 

MQ  Learning:  (Informally)  Given  a  weakly-MQ  learning  algorithm  A  for  F,  an  algorithm  B 
violating  the  security  of  the  pseudorandom  function  can  be  constructed.  By  assumption,  A  is  an 
(e,  <5)-MQ  learning  algorithm  with  e  and  1  —  6  both  non-negligible  in  n.  First,  observe  that  A  is 
an  (P,  5')-MQ-learning  algorithm  for  the  following  concept  class,  indexed  by  k  E  K  and  uniformly 
random  rq  E  {0, 1}A,  with  e'  >  e  —  negl{ A)  and  5'  >  5  —  negl(X): 

(  xth  bit  of  r\  if  x  E  [0,  A  —  1] 

F^r i  =  <  (x  —  A)th  bit  of  7r^1(fc)  if  x  E  [A,  2A  —  1] 

[  9k(x)  otherwise 

Otherwise,  the  quality  of  the  hypothesis  output  by  A  would  be  noticeably  different  for  random 
functions  Fk.n  and  F^ri-  By  the  security  of  the  pseudorandom  permutation,  n(k)  ©  k  should  be 
indistinguishable  from  uniformly  random  rq;  this  difference  could  be  used  to  violate  the  security  of 
the  pseudorandom  permutation  7 r. 

A  similar  argument  will  show  that  A  is  an  (e”,  y^-MQ-learning  algorithm  for  the  following 
concept  class,  indexed  by  k  E  K  and  ?q,r2  E  {0, 1}A,  with  e"  >  e'  —  negl(\ )  and  5"  >  6'  —  negl(X): 

{xth  bit  of  r\  if  x  E  [0,  A  —  1] 

(x  —  A)th  bit  of  r2  if  x  E  [A,  2A  —  1] 
gk(x)  otherwise 

Furthermore,  weak  learning  of  this  concept  requires  weak  learning  of  this  concept  even  when  re¬ 
stricting  the  domain  to  require  x  [0,  2A  —  1]. 

This  last  oracle  can  be  simulated  by  B  with  only  oracle  access  to  a  random  PRF  gk  E  G \.  That 
this  concept  is  weakly  learnable  violates  the  security  of  the  PRF  G  in  the  usual  way.  P 
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A. 2  Aggregate  queries 

We  turn  to  a  positive  result  for  learning  in  the  AQ  model.  Our  starting  point  is  the  intuition  that 
with  aggregate  queries,  it  is  easy  to  distinguish  a  point  function  from  an  everywhere-zero  function. 

Formally,  consider  the  case  when  D  =  Z2a,  R  =  {0,1},  T  =  22  is  summation  modulo  2,  and 
<SraM  =  {[a,  b]  :  a,  b  £  Z2a ;a  <  b}  the  set  of  intervals  on  7L\.  By  AQ-learning  with  respect  to 
summation  over  intervals ,  we  mean  5ra  w)-AQ  learning.  Let  the  concept  class  T>\  of  point 
functions  be  defined: 

T>\  :=  {5y  :  y  £  Z2a} 

where  each  5y  is  nonzero  only  at  y. 

Lemma  A. 2  (Point  functions).  The  concept  class  of  point  functions  V \  is  efficiently,  exactly,  and 
properly  [fff , Sum ) -A Q-learnable. 

Proof.  Observe  that  for  5y  £  V\  and  interval  [a,b]  C  Z2a:  AGGy^s  ([«,&])  =  1  <t=^-  V  £  [a,  6]. 
This  allows  us  to  perform  binary  search  over  the  domain  and  find  y  with  at  most  A  queries  to  the 
AGGj2,5y(')  oracle.  □ 

But  if  we  don’t  require  exact-learning,  point  functions  are  trivially  learnable  with  no  queries 
at  all;  indeed,  the  hypothesis  h(x)  =  0  agrees  with  5y(x)  at  all  but  a  single  point!  But  T>\  is  not 
exactly  MQ-learnable.  More  importantly,  for  two  uniformly  selected  concepts  Sy,Sw  £-  T>\,  MQ 
cannot  distinguish  membership  oracle  access  to  6y  and  5W.  We  will  leverage  this  to  construct  a 
much  stronger  separation. 

Let  Q\  =  {gk  :  {0, 1}A_1  {0,  l}}fce{o,i}A— 1  be  a  pseudorandom  function  family  with  (A  —  l)-bit 

keys  k  and  inputs  x. 

Functions  in  our  concept  class  fk  £  F\  will  be  indexed  by  an  (A  —  l)-bit  key,  but  take  inputs 
from  {0, 1}A.  On  half  the  domain,  /),  behaves  as  the  PRF  g k,  while  on  the  other  half  it  behaves  as 
the  point  function  Sk.  Letting  x[2  :  A]  =  (x[2], . . . , x[A]): 


fk{x)  = 


6k(x[ 2  :  A])  if  x[0]  =  0 
Gk(x[ 2  :  A])  if  x[l]  =  1 


Theorem  A. 3  (Separating  AQ  from  MQ).  The  concept  class  T  is  exactly  and  (properly)  AQ- 
learnable  with  respect  to  summation  over  intervals.  For  any  polynomials  pe(X),p§(\),  this  concept 


class  is  hard  to  (e,  S)-MQ  learn  for  e  <  |  —  p  and  1  —  6  > 


i 


—  psW ' 


Note  that  it  while  it  easy  to  (1/4,  l/4)-MQ  learn  C  (for  example,  outputting  the  constant  0 
function),  the  theorem  above  claims  that  we  cannot  do  appreciably  better  in  e  with  non- negligible 
probability  1  —  <5.  This  has  the  flavor  of  a  ‘hardness  of  weakly  learning’  theorem. 

Proof.  For  A  £  N,  let  fk  £  J~\-  The  first  part  of  the  theorem  follows  as  a  corollary  to  the  previous 
lemma.  After  exactly  learning  6k  by  binary  search,  the  function  fk  is  uniquely  specified  by  k. 

For  the  second  part,  we  reduce  to  the  hardness  of  MQ  learning  the  pseudorandom  function, 
gk.  Suppose  for  contradiction  that  there  exists  an  algorithm  A  that,  when  given  access  to  an 
oracle  O  =  gk(-),  with  probability  at  least  outputs  hypothesis  h  :  {0, 1}A  — >  {0,1}  with 

Pra:<_{o,i}A  [h(x)  =  fk(x )]  >  |  +  A.  We  describe  B  -  a  weak  MQ-learning  algorithm  for  the  concept 
Q  =  {gk}keK-  Given  access  to  oracles  Os  =  5k(-)  and  Oq  =  9 fc(-),  B  can  exactly  simulate  oracle 
access  to  O  and  thus  output  hypothesis  h  with  the  same  distribution.  But  with  only  t(A)-many 
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queries  for  any  t,  the  probability  (over  the  random  choice  of  k )  of  querying  a  non-zero  point  in  Os 

is  at  most  f(A)/2A_1;  thus,  with  high  probability,  all  queries  to  Os  will  be  zero.  Therefore  it  is 

computationally  infeasible  to  distinguish  between  the  pair  of  oracles  (Os,  Oq)  and  (Oq,  Og),  where 
O o  is  the  constant  zero  oracle. 

If  B  answers  *4’s  oracle  queries  with  ( Oq,Og )  instead  of  (Osk,Oc),  A  will  successfully  output 
h  which  e1  approximates  fk  with  probability  1  —  S'.  By  the  indistinguishability  argument,  e'  > 
e  —  negl(A)  >  e/2  and  1  —  5'  >1  —  5  —  negl(A)  >  1  —  5/2. 

Let  h\b  be  the  restriction  of  h  to  the  set  {x  :  x[l]  =  b}  for  b  £  {0, 1}. 

Pr \h(x)  A  fk(x)\  =  J(Pr[/i|0(x)  =  0]  +  Pr[/i|i(x)  =  gk(x[ 2  :  n])])  >j  +  ^~ 
x  2  x  x  4  2pe 

=*■  P/|A|l(l)  =  ®H2  :  "1)1  £  l  +  2n)' 

Outputting  h\i,  B  manages  to  weakly  MQ  learn  the  concept  Q\.  That  this  concept  is  weakly 
learnable  violates  the  security  of  the  PRF  G  in  the  usual  way.  □ 
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Constrained  Key-Homomorphic  PRFs  from  Standard  Lattice  Assumptions 

Or:  How  to  Secretly  Embed  a  Circuit  in  Your  PRF 

Zvika  Brakerski*  Vinod  Vaikuntanatham 


Abstract 

Boneh  et  al.  (Crypto  13)  and  Banerjee  and  Peikert  (Crypto  14)  constructed  pseudorandom 
functions  (PRFs)  from  the  Learning  with  Errors  (LWE)  assumption  by  embedding  combinatorial 
objects,  a  path  and  a  tree  respectively,  in  instances  of  the  LWE  problem.  In  this  work,  we  show 
how  to  generalize  this  approach  to  embed  circuits ,  inspired  by  recent  progress  in  the  study  of 
Attribute  Based  Encryption. 

Embedding  a  universal  circuit  for  some  class  of  functions  allows  us  to  produce  constrained 
keys  for  functions  in  this  class,  which  gives  us  the  first  standard-lattice-assumption-based  con¬ 
strained  PRF  (CPRF)  for  general  bounded-description  bounded-depth  functions,  for  arbitrary 
polynomial  bounds  on  the  description  size  and  the  depth.  (A  constrained  key  w.r.t  a  circuit  C 
enables  one  to  evaluate  the  PRF  on  all  x  for  which  C( x)  =  1,  but  reveals  nothing  on  the  PRF 
values  at  other  points.)  We  rely  on  the  LWE  assumption  and  on  the  one-dimensional  SIS  (Short 
Integer  Solution)  assumption,  which  are  both  related  to  the  worst  case  hardness  of  general  lattice 
problems.  Previous  constructions  for  similar  function  classes  relied  on  such  exotic  assumptions 
as  the  existence  of  multilinear  maps  or  secure  program  obfuscation.  The  main  drawback  of  our 
construction  is  that  it  does  not  allow  collusion  (i.e.  to  provide  more  than  a  single  constrained 
key  to  an  adversary).  Similarly  to  the  aforementioned  previous  works,  our  PRF  family  is  also 
key  homomorphic. 

Interestingly,  our  constrained  keys  are  very  short.  Their  length  does  not  depend  directly 
either  on  the  size  of  the  constraint  circuit  or  on  the  input  length.  We  are  not  aware  of  any  prior 
construction  achieving  this  property,  even  relying  on  strong  assumptions  such  as  indistinguisha- 
bility  obfuscation. 


1  Introduction 

A  pseudorandom  function  family  (PRF)  [GGM86]  is  a  finite  set  of  functions  {Fs  :  D  — >  R}s, 
indexed  by  a  seed  (or  key)  s,  such  that  for  a  random  s,  Fs  is  efficiently  computable  given  s,  and  is 
computationally  indistinguishable  from  a  random  function  from  D  to  R,  given  oracle  access.  Since 
the  introduction  of  this  concept,  PRFs  have  been  one  of  the  most  fundamental  building  blocks  in 
cryptography.  Many  variants  of  PRFs  with  additional  properties  have  been  introduced  and  have 
found  a  plethora  of  applications  in  cryptography.  In  this  work,  we  will  focus  on  Constrained  PRFs 
and  Key-Homomorphic  PRFs. 

*Weizmann  Institute  of  Science,  Rchovot,  Israel.  Email:  zvika.brakerski@weizmann.ac.il.  Supported  by  ISF 
grant  468/14,  and  by  an  Alon  Young  Faculty  Fellowship. 

^MIT,  Cambridge,  MA,  USA.  Email:  vinodv@csail.mit.edu.  Research  supported  by  DARPA  Grant  number 
FA8750-1 1-2-0225,  Alfred  P.  Sloan  Research  Fellowship,  NSF  CAREER  Award  CNS-1350619,  NSF  Frontier  Grant 
CNS-1414119,  Microsoft  Faculty  Fellowship,  and  a  Steven  and  Renee  Finn  Career  Development  Chair  from  MIT. 
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Constrained  PRFs.  Constrained  PRFs  (CPRFs)  have  been  introduced  simultaneously  by  Boneh 
and  Waters  [BW13],  Kiayias  et  al.  [KPTZ13]  (as  “Delegatable  PRFs”)  and  by  Boyle,  Goldwasser 
and  Ivan  [BGI14]  (as  “Functional  PRFs”).  Here  an  adversary  is  allowed  to  ask  for  a  constrained 
key  which  should  allow  it  to  evaluate  the  PRF  on  a  subset  of  the  inputs,  while  revealing  nothing 
about  the  values  at  other  inputs.  It  has  been  shown  [BW13,  KPTZ13,  BGI14]  how  to  construct 
CPRFs  for  function  classes  of  the  form  x  G  [i,j]  (where  the  input  is  interpreted  as  an  integer)  based 
on  any  one-way  function.  This  in  particular  allows  for  the  “puncturing”  technique  of  Sahai  and 
Waters  [SW14]  that  found  many  uses  in  the  obfuscation  literature.  Further,  [BW13]  showed  how  to 
achieve  more  complicated  function  classes  such  as  bit  fixing  functions  and  even  arbitrary  circuits, 
but  those  require  use  of  cryptographic  multilinear  maps.  They  also  introduce  a  number  of  appli¬ 
cations  for  such  CPRFs,  including  broadcast  encryption  schemes  and  identity  based  key  exchange. 
Hofheinz  et  al.  [HKKW14]  show  how  to  achieve  adaptively  secure  CPRFs  from  indistinguishability 
obfuscation  using  a  random  oracle. 

The  original  definition  of  CPRFs  requires  resilience  to  arbitrary  collusion.  Namely,  a  constrained 
key  for  C\ ,  C2  should  give  no  more  information  than  a  constrained  key  for  C\  V  C-2  and  must 
not  reveal  anything  about  values  where  C\  (x)  =  C-^ix)  =  false.  Many  of  the  applications  of 
CPRFs  (e.g.  for  broadcast  encryption  and  identity  based  key  exchange)  rely  on  collusion  resilience. 
Unfortunately,  our  construction  in  this  work  will  not  allow  collusions,  and  therefore  will  not  be 
useful  for  these  applications.  We  hope  that  future  works  will  be  able  to  leverage  our  ideas  into 
collusion  resilient  CPRFs. 

Key-Homomorphic  PRFs.  In  key- homomorphic  PRFs,  there  is  a  group  structure  associated 
with  the  set  of  keys,  and  it  is  required  that  for  any  input  x  and  keys  s,  t ,  Fs(x )  +  Ft(x )  =  Fs+t(x). 
A  construction  in  the  random  oracle  model  was  given  by  Naor,  Pinkas  and  Reingold  [NPR99], 
and  the  first  construction  in  the  standard  model  was  given  by  Boneh  et  al.  [BLMR13]  based  on 
the  Learning  with  Errors  assumption  (LWE),  building  on  a  (non  key  homomorphic)  lattice-based 
PRF  of  Banerjee,  Peikert  and  Rosen  [BPR12],  This  was  followed  by  an  improved  construction 
by  Banerjee  and  Peikert  [BP14]  based  on  quantitatively  better  lattice  assumptions.  The  LWE 
based  constructions  achieved  a  slightly  weaker  notion,  namely  “almost”  key-homomorphism,  in 
which  \\(Fs(x)  +  Ft(x))  —  Fs+t(x)\\  is  small,  for  an  appropriately  defined  norm.  This  notion  is 
sufficient  for  the  known  applications.  Applications  of  key-homomorphic  PRFs  include  distributed 
key-distribution,  symmetric  proxy  re-encryption,  updatable  encryption  and  PRFs  secure  against 
related- key  attacks  [NPR99,  BLMR13,  LMR14]. 

Our  Results.  We  view  the  main  contribution  of  this  work  as  showing  how  to  impose  hidden 
semantics  into  the  evaluation  process  of  LWE-based  PRFs.  Namely,  we  allow  multiple  computation 
paths  for  computing  Fs(x),  such  that  we  can  selectively  block  some  of  these  paths  based  on  logic 
described  by  a  circuit.  This  is  done  by  extending  ideas  from  the  ABE  literature,  and  in  particular 
the  ABE  scheme  of  Boneh  et  al.  [BGG+14]  (see  more  about  this  connection  below). 

It  is  particularly  interesting  that  previous  constructions  of  PRFs  [BLMR13,  BP14]  can  be 
viewed  as  a  special  case  of  our  framework,  but  ones  that  only  allow  a  single  computational  path. 
Our  work  therefore  highlights  that  the  techniques  used  for  constructing  PRFs  and  for  constructing 
ABE  are  special  cases  of  the  same  grand  schema.  This  could  hopefully  lead  to  new  insights  and 
constructions. 

We  employ  our  methods  towards  presenting  a  family  of  (single  key  secure)  constrained  key- 
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homomorphic  PRFs  based  on  worst-case  general  lattice  assumptions.  This  is  a  first  step  in  solving 
the  open  problem  posed  in  [BW13]  of  achieving  (collusion  resilient)  CPRFs  from  standard  assump¬ 
tions. 

Our  construction  is  selectively  secure  in  the  constraint  query,  namely  the  adversary  needs  to 
decide  on  the  constraint  before  seeing  the  public  parameters,  but  is  adaptive  with  regards  to  PRF 
oracle  queries.  We  achieve  the  latter  without  “complexity  leveraging”,  contrary  to  [BW13],  and 
thus  we  do  not  require  sub-exponential  hardness  assumptions  as  they  do.  This  is  done  by  employing 
our  technique  of  embedding  semantics  into  the  evaluation  process  again.  In  particular,  we  embed 
the  semantics  of  an  admissible  hash  function,  introduced  by  Boneh  and  Boyen  [BB04]  into  the  PRF, 
which  allows  us  to  handle  adaptive  queries. 

Our  proofs  rely  on  two  closely  related  hardness  assumptions:  The  Learning  with  Errors  (LWE) 
assumption,  and  the  one- dimensional  Short  Integer  Solution  (ID-SIS)  assumption.  Both  assump¬ 
tions  can  be  tied  to  the  worst  case  hardness  of  general  lattice  problems  such  as  GapSVP  and  SIVP, 
with  similar  parameters.  LWE  is  sufficient  for  proving  pseudorandomness  in  the  absence  of  a  con¬ 
strained  key.  However,  once  the  adversary  is  given  a  constrained  key,  the  situation  becomes  more 
delicate.  In  particular,  even  showing  correctness  in  this  setting  is  not  straightforward.  (Correctness 
refers  to  the  property  that  evaluation  using  the  constrained  key  and  using  the  actual  seed  result  in 
the  same  output.)  One  can  show  unconditionally  that  the  value  computed  using  the  constrained 
key  is  close  (in  norm)  to  the  real  value  of  the  function  but  not  that  they  are  always  equal.  A  similar 
issue  comes  up  in  the  security  proof  (since  the  reduction  “fabricates”  oracle  answers  in  a  similar  way 
to  the  constrained  evaluation).  Our  solution  is  to  use  computational  arguments.  Namely  to  show 
that  it  is  computationally  intractable,  under  the  ID-SIS  assumption,  to  come  up  with  an  input 
for  which  the  constrained  evaluation  errs.  Therefore  even  the  correctness  of  our  scheme  relies  on 
computational  assumptions.  We  note  that  similar  techniques  can  be  used  to  strengthen  the  almost 
key-homomorphism  property  into  computational  key-homomorphism  where  it  is  computationally 
hard  to  find  an  input  for  which  key  homomorphism  does  not  hold. 

The  following  theorem  presents  the  simplest  application  of  our  method,  we  explain  how  it  can 
be  extended  below. 

Theorem  1.1.  Let  Ci ^  be  the  class  of  size-i  depth-d  circuits.  Then  for  all  polynomials  l,d,  there 
exists  a  Ci  ^-constrained  (almost)  key-homomorphic  family  of  PRFs  without  collusion,  based  on  the 
(appropriately  parameterized)  LWE  and  ID-SIS  assumptions  (and  hence  on  the  worst-case  hardness 
of  appropriately  parameterized  GapSVP  and  SIVP  problems). 

Interestingly,  we  can  go  beyond  bounded  size  circuits.  In  fact,  we  can  support  any  function 
family  with  bounded  length  description,  so  long  as  there  is  a  universal  evaluator  of  depth  d  that 
takes  a  function  description  and  an  input,  and  executes  the  function  on  the  input.  Namely,  consider 
a  sequence  of  universal  circuits  {A4}fceN>  where  Uk  :  {0, 1  X  {0,  l}fc  — >  {0, 1}.  This  sequence  defines 
a  class  of  functions  {0, 1}*  — >  {0, 1},  where  each  function  F  in  the  class  is  represented  by  a  string 
/  G  {0, 1}^,  and  for  x  G  {0, l}fc,  it  holds  that  F(x)  =  Uk(f,x).  We  call  such  a  function  class 
^-uniform.  We  are  only  able  to  support  Uk  whose  depth  is  bounded  by  some  a-priori  polynomial 
in  the  security  parameter  d,  however  in  some  cases  this  is  sufficient  to  support  all  fc’s  that  are 
polynomial  in  the  security  parameter.  The  following  theorem  states  our  result  with  regards  to  such 
families. 

Theorem  1.2.  Let  C(  cj  be  a  class  of  i-uniform  functions  with  depth-d  evaluator.  Then  for  all 
polynomials  t,d,  there  exists  a  Ci^- constrained  (almost)  key-homomorphic  family  of  PRFs  without 
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collusion,  based  on  the  (appropriately  parameterized)  LWE  and  ID-SIS  assumptions  (and  hence  on 
the  worst  case  hardness  of  appropriately  parameterized  GapSVP,  SlVPj. 

Lastly,  we  show  that  the  bit-length  of  the  constrained  keys  in  our  scheme  can  be  reduced  to 
poly(A)  for  some  fixed  polynomial.  Namely,  completely  independent  of  all  of  the  parameters  of  the 
scheme.  This  is  done  by  using  an  ABE  scheme  with  short  secret  keys  as  a  black  box.  In  particular 
we  resort  to  the  same  scheme,  namely  the  ABE  scheme  of  Boneh  et  al.  [BGG+14],  which  inspired 
our  constrained  PRF  construction.  This  is  done  by  encrypting  all  of  the  “components”  of  the 
constrained  key,  and  providing  them  in  the  public  parameters  of  the  construction.  Then,  the  actual 
constrained  key  is  an  ABE  secret  key  which  only  allows  to  decrypt  the  relevant  components.  We 
note  that  this  short  representation  for  constrained  keys  is  not  homomorphic  (however  the  scheme 
is  still  almost  key  homomorphic  with  respect  to  the  seed).  A  theorem  statement  follows. 

Theorem  1.3.  There  exists  a  constrained  PRF  scheme  with  the  same  properties  as  in  Theorem  1.2, 
and  under  the  same  hardness  assumptions,  where  the  constrained  keys  are  of  asymptotic  bit-length 
poly  (A),  for  an  a-priori  fixed  polynomial. 

See  Section  2  for  an  extended  overview  of  the  construction. 

Relation  to  the  ABE  Construction  of  Boneh  et  al.  [BGG+14].  Our  techniques  are  greatly 
influenced  by  the  aforementioned  LWE-based  ABE  construction  of  Boneh  et  al.  [BGG+14].  Recall 
that  in  ABE,  messages  are  encrypted  relative  to  attributes  and  decryption  keys  are  drawn  relative  to 
functions.  Decryption  is  possible  only  if  the  function  /  of  the  decryption  key  accepts  the  attribute 
x  of  the  ciphertext.  In  order  to  decrypt  a  ciphertext,  [BGG+14]  first  applies  a  public  procedure 
that  depends  on  /,  x  on  the  ciphertext  and  then  applies  the  decryption  key  on  the  resulting  value. 
Their  construction  makes  sure  that  for  any  /,  encryptions  with  regards  to  all  accepting  x’s  will 
derive  a  decryptable  ciphertext  (and  all  non-accepting  x’s  cannot  be  decrypted). 

Our  constrained  key  for  a  circuit  C  is  almost  identical  to  an  encryption  of  0  with  attribute  C 
in  [BGG+14],  The  randomness  in  the  encryption  roughly  corresponds  to  the  seed  of  the  PRF.  An 
application  of  the  PRF  on  the  constrained  key  includes  applying  the  public  procedure  of  the  ABE 
on  the  ciphertext,  with  respect  to  the  function  f  =U,  the  universal  circuit  for  the  function  class 
to  which  C  belongs.  However,  there  is  the  question  of  how  to  represent  the  input:  We  need  to 
be  able  to  evaluate  C  on  any  possible  input  while  preserving  security.  One  of  our  main  technical 
ideas  is  in  showing  that  this  is  possible,  and  in  fact  can  be  achieved  regardless  of  the  input  length. 
Combined  with  the  framework  from  [BGG+14],  we  can  guarantees  that  for  all  x,  regardless  which 
C  was  used  to  generate  the  “ciphertext” ,  the  output  of  the  public  procedure  will  only  depend  on  x 
and  not  on  C.  The  basic  idea  is  therefore  to  use  this  value  as  the  PRF  value.  This  does  not  work 
as  is  (for  example,  it  does  not  imply  pseudorandomness  for  non-accepting  x’s)  and  additional  ideas 
are  required. 

As  mentioned  above,  the  PRFs  of  [BLMR13,  BP14]  that  seem  to  stem  from  different  ideas  and 
have  quite  different  proofs  than  [BGG+14]  can  be  shown  to  be  special  cases  of  the  above  paradigm, 
except  /  is  taken  to  be  an  arbitrary  formula  (a  multiplication  tree).  For  details  see  Section  2. 

The  novelty  in  our  approach  is  to  show  the  extra  power  that  is  obtained  from  generalizing  these 
two  approaches.  We  use  the  universal  circuit  as  a  way  to  embed  an  undisclosed  computation  into 
an  LWE  instance,  and  show  how  to  achieve  pseudorandomness  using  tools  such  as  admissible  hash 
functions  (which  are  also  embedded  into  an  LWE  instance). 
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Relation  with  the  Constrained  PRF  of  Hofheinz  et  al.  [HKKW14].  The  work  of  [HKKW14] 
constructs  adaptively  secure  collusion-resistant  CPRFs,  namely  ones  where  the  challenge  x*  needs 
not  be  provided  ahead  of  time.  Their  building  blocks  are  “universal  parameters”  and  adaptively 
secure  ABE,  which  are  used  as  black-box.  Note  that  we  achieve  adaptive  security  w.r.t  the  chal¬ 
lenge  (but  not  with  respect  to  the  constraint)  while  relying  on  techniques  which  are  only  known 
to  imply  selectively  secure  ABE.  Further,  whereas  [HKKW14]  use  ABE  only  to  implement  access 
control  and  therefore  need  to  rely  on  strong  assumptions  to  implement  the  PRF  so  as  to  interface 
with  the  ABE,  we  use  ABE  techniques  to  achieve  both  pseudorandomness  and  access  control.  On 
the  flip  side,  our  construction  is  not  collusion  resistant,  contrary  to  [HKKW14], 

Open  Problems.  The  main  drawback  of  our  CPRF  is  its  vulnerability  to  collusion,  which 
severely  limits  its  applicability  as  a  building  block.  It  is  an  open  problem  to  achieve  bounded 
collusion  resilience,  even  for  two  constrained  keys  instead  of  one  and  even  at  the  cost  of  increasing 
the  parameters.  Any  improvement  on  this  front  should  be  very  interesting.  Another  avenue  for 
research  is  trying  to  extend  the  construction  so  that  there  is  no  restriction  on  the  constraint  circuit 
size,  similarly  to  the  multilinear  map  based  construction  of  [BW13].  Finally,  it  would  also  be  inter¬ 
esting  to  apply  this  methodology  of  imposing  semantics  on  a  cryptographic  computation  to  other 
primitives  in  order  to  allow  more  fine-grained  access  control. 

2  Overview  of  Our  Construction 

We  recall  that  the  LWE  assumption  asserts  that  for  a  uniform  vector  s  and  a  matrix  A  of  appropriate 
dimensions  (over  7Lq  for  an  appropriate  q),  it  holds  that  (A,  s7  A  +  eT),  is  indistinguishable  from 
uniform,  where  e  is  taken  from  an  appropriate  distribution  over  low  norm  vectors  and  referred  to 
as  the  noise  vector.  In  this  outline  we  will  ignore  the  generation  of  eT  and  its  evolution  during 
computation  process,  and  just  denote  it  by  noise  (but  of  course  care  will  need  to  be  taken  in  the 
formal  arguments). 

The  PRF  of  Banerjee  and  Peikert  [BP14].  A  high-level  methodology  for  constructing  PRFs, 
taken  by  [BLMR13,  BP14]  and  also  in  this  work,  is  to  take  s  as  the  seed,  and  to  generate  for  each 
PRF  input  x,  an  LWE  matrix  Ax  such  that  the  values  sTAx  +  noise  for  the  different  inputs  x  are 
jointly  indistinguishable  from  uniform.  Note  that  almost  key  homomorphism  follows  naturally  for 
any  implementation  of  this  template,  up  to  the  accumulation  of  noise.  The  noise  issue  is  handled 
by  taking  the  PRF  value  to  be  a  properly  scaled  down  and  rounded  version  of  the  above,  so  that 
the  effect  of  the  noise  is  minimal  (and  its  norm  can  be  bounded  below  1).  This  property  is  also 
inherited  by  our  scheme. 

As  a  starting  point  for  deriving  our  construction,  let  us  revisit  the  key-homomorphic  PRF 
construction  of  [BP14].  Their  PRF  family  was  associated  with  a  combinatorial  object  -  a  binary 
tree.  Each  node  v  of  the  tree  was  associated  with  an  LWE  matrix  A„,  where  the  PRF  input 
x  determined  the  matrices  for  the  leaves,  and  matrices  for  internal  nodes  are  derived  as  follows. 
Given  a  node  v  whose  children  are  associated  with  Ai,Ar,  they  define  Av  =  A ;  •  G_1(Ar).  In 
this  notation,  G_1(-)  is  the  binary  decomposition  operator,  which  breaks  each  entry  in  the  matrix 
into  the  bit  vector  of  length  log (q)  of  its  binary  representation.  Note  that  G_1(-)  will  always  have 
small  norm,  and  that  the  inverse  operator  G,  representing  binary  composition,  is  linear  so  it  can 
be  represented  by  a  matrix.  Thus  for  all  A  it  holds  that  G  •  G_1(A)  =  A. 

5 


Approved  for  Public  Release;  Distribution  Unlimited. 

527 


Going  back  to  the  PRF  of  [BP14],  the  derivation  procedure  described  above  allows  to  associate 
a  matrix  with  the  root  of  the  tree,  which  depends  only  on  the  input  x  (and  on  the  topology  of  the 
tree  which  is  fixed).  We  will  use  the  root’s  matrix  as  our  Ax.  The  proof  hinges  on  the  invariant  that 
LWE  instances  will  be  multiplied  on  the  right  only  by  low-norm  matrices  (of  the  form  G-1(-)),  and 
therefore  s1  AiG^1(Ar)  +  noise  ~  (s1  A i  +  noise)G_1(Ar),  which  allows  to  replace  (srA /  +  noise) 
with  a  new  uniform  vector  and  propagate  to  the  right. 

From  Embedded  Trees  to  Embedded  Circuits.  We  show  that  the  operation  A,,  =  A;  • 
G_1(Ar)  is  in  fact  a  special  case  of  a  more  general  operation,  inspired  by  the  recent  Attribute 
Based  Encryption  (ABE)  construction  of  Boneh  et  al.  [BGG+14].  We  will  associate  a  matrix  A„ 
as  well  as  a  binary  value  xv  with  each  node,  and  pay  special  attention  to  the  matrix  (Ax  —  xv  G). 
In  particular,  considering  a  node  v  with  children  l ,  r,  it  holds  that 

(A i  —  xiG )  •  G-1(Ar)  +  (Ar  —  xrG )  •  xi  =  A^G_1(Ar)  —  xrxiG  . 

This  generalization  associates  the  semantics  of  the  multiplication  operation  with  the  syntactic 
definition  Av  =  A;G_1(Ar),  and  it  also  maintains  the  invariant  that  the  matrices  (A;  —  x/G)  and 
(Ar  —  xrG)  are  only  multiplied  on  the  right  by  low  norm  elements,  so  that 

sr^(A;  —  xiG)  ■  G-1(Ar)  +  (Ar  —  xrG)  •  xi'j  +  noise  ss 

^sr(A;  —  xiG)  +  noise  j  •  G_1(Ar)  +  ^sT(Ar  —  xrG)  +  noise^)  •  xi  , 

which  will  play  an  important  role  in  the  security  proof.  Put  explicitly,  if  the  evaluator  holds 
ST(A;  —  xiG)  +  noise  and  sT(A /  —  x;G)  +  noise,  then  it  can  compute  sT(A„  —  xi  ■  xrG)  -(-  noise  (and 
we  will  obviously  define  xv  =  xi  ■  xr). 

This  semantic  relation  can  be  extended  beyond  multiplication  gates,  and  in  particular  NAND 
gates  can  be  supported  in  a  fairly  similar  manner.  Furthermore,  there  is  no  need  to  stick  to  tree 
structure  and  one  can  support  arbitrary  DAGs,  which  naturally  correspond  to  circuits.  Extending 
the  above  postulate,  if  our  DAG  corresponds  to  a  circuit  C ,  then  having  sT(Aj  —  x*G)  +  noise,  for 
all  leaves  (=  inputs),  allows  to  compute  sT(Ax  —  C(x) G)  +  noise.  Recalling  that  the  value  of  the 
PRF  on  input  x  is  sTAx  +  noise,  the  aforementioned  information  allows  us  to  evaluate  the  PRF  at 
points  where  C(x)  =  0.  It  can  also  be  shown  that  it  is  computationally  hard  to  compute  the  value 
at  points  where  C(x)  =  1.  We  note  that  this  process  is  practically  identical  to  the  public  part  of 
the  decryption  procedure  in  the  [BGG+14]  ABE  (as  we  explained  in  Section  1).  We  also  note  that 
since  [BP14]  were  trying  to  minimize  the  complexity  of  evaluating  their  PRF,  it  made  no  sense 
in  their  construction  to  consider  DAGs  which  only  increase  the  complexity.  However,  as  we  show 
here,  there  are  benefits  to  embedding  a  computational  process  in  the  PRF  evaluation. 

Utilizing  the  Universal  Circuit.  The  tools  we  describe  so  far  indeed  seem  to  get  us  closer  to 
our  goal  of  producing  constrained  keys,  but  we  are  still  not  quite  there.  What  we  showed  is  that 
for  any  circuit  C,  we  can  devise  a  PRF  with  a  constrained  key  for  C.  Note  that  we  use  the  negated 
definition  to  the  one  we  used  before,  and  allow  to  evaluate  when  C(x)  =  0  and  not  when  C{x)  =  1. 
This  will  be  our  convention  throughout  this  overview. 

In  order  to  reverse  the  order  of  quantifiers,  we  take  C  to  be  the  universal  circuit  U(F,  x),  and  the 
constrained  keys  will  be  of  the  form  sr(Aj  — /jG)  +  noise,  where  the  _/)  is  the  ith  bit  of  the  description 
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of  the  constraint  F,  as  well  as  values  for  the  x  wires,  which  will  be  of  the  form  sT(Af,  —  bG)  +  noise, 
for  both  b  6  {0, 1}.  These  values  will  allow  us  to  execute  F  on  any  input  x.  Note  that  we  can 
use  the  same  matrices  Ao,  Ai  for  all  input  wires,  hence  we  don’t  need  to  commit  to  the  input  size 
when  we  provide  the  constrained  key.1  From  this  description  it  is  obvious  why  our  construction  is 
not  collusion  resistant:  Given  two  constrained  keys  for  two  non  identical  functions,  there  exists  an 
i  such  that  the  adversary  gets  both  s7  A  +  noise  and  sr(A j  —  G)  +  noise.  Recovering  sT  from  these 
values  is  straightforward  and  hence  all  security  is  lost.  Note  that  for  the  input  values,  unlike  the 
function  description,  we  use  two  different  matrices  for  0  and  1:  Ao,  Ai,  so  a  similar  problem  does 
not  occur. 

The  Problem  with  Correctness,  and  a  Computational  Solution.  We  introduced  two  ways 
to  compute  the  value  of  the  PRF  at  x:  One  is  to  compute  Ax  and  use  the  seed  sT  to  compute 
s 1  Ax  +  noise,  and  the  other  is  to  use  the  constrained  key  to  obtain  sT(Ax  —  F(x) G)  +  noise,  which 
for  F(x)  =  0  gives  s7  Ax  +  noise.  The  problem  is  that  the  noise  value  in  these  two  methods  could 
differ.  It  is  possible  to  make  the  difference  small  by  scaling  down  and  rounding,  but  this  is  not  going 
to  suffice  for  our  purposes  (mostly  because  a  similar  problem  comes  up  in  the  security  proof).  We 
solve  this  issue  using  the  ID-SIS  assumption  as  follows.  We  first  note  that  the  evaluation  using  the 
constrained  key  is  essentially  evaluation  of  a  linear  function  with  small  coefficients  on  the  vectors 
constituting  the  constrained  key  (essentially  they  get  multiplied  by  bits  and  by  low  norm  matrices 
G_1(-)).  Secondly,  the  only  way  for  the  two  computation  paths  to  not  agree  is  if  the  value  sTAx 
is  very  close  to  an  integer  multiple  of  a  number  p  (which  is  part  of  the  PRF  description).  Finally, 
we  notice  that  by  LWE,  the  vectors  in  the  constrained  key  are  indistinguishable  from  uniform  and 
independent.  Thus,  if  we  encounter  such  x  for  which  correctness  does  not  work,  we  can  also  find  a 
short  linear  combination  of  random  elements  whose  scaled  down  rounded  value  is  close  to  an  integer. 
In  other  words,  given  a  uniform  vector  v  in  Z9,  we  can  find  z  such  that  |_(v,  z)/p\  is  “close”  to  an 
integer.  This  is  similar  to  solving  a  one-dimensional  instance  of  the  SIS  problem,  i.e.  (v,  z)  =  0 
(mod  p).  Indeed,  one  can  show  that  the  ID-SIS  problem  is  as  hard  as  standard  worst-case  hard 
lattice  problems  via  a  reduction  from  [Reg04] . 

Pseudorandomness  and  Adaptive  Security.  Given  a  constrained  key  for  F,  one  can  compute 
sT(Ax  —  F(x) G)  +  noise,  and  indeed  if  F(x)  =  1  it  is  hard  to  compute  PRFs(x)  =  s7  Ax  +  noise. 
However,  we  want  to  argue  that  this  value  is  pseudorandom  and  furthermore  that  it  remains 
pseudorandom  after  adaptive  queries  to  the  PRF.  Namely,  after  the  adversary  sees  as  many  values 
of  the  form  PRFs(x)  =  sTAx  +  noise  as  it  wishes. 

To  achieve  these  goals,  we  add  another  feature  to  the  PRF.  We  consider  a  new  independent 
LWE  matrix  D,  and  define  PRFs(x)  =  s7  Ax  ■  G_1(D)  +  noise.  First  of  all,  we  note  that  given 
the  constrained  key,  we  can  still  compute  the  PRF  for  values  where  C(x)  =  0,  by  first  computing 
(srAx  +  noise)  as  before,  and  then  multiplying  by  G_1(D),  which  has  low  norm.  However,  in 
general  we  have 

PRFs(x)  «  ^sT(Ax  —  F(x)G)  +  noise  j  •  G_1(D)  +  F(x)^srD  +  noise  j  , 

and  it  can  be  shown  that  for  F(x)  =  1,  the  second  term  randomizes  the  expression,  by  the  LWE 
assumption. 

1Recall  that  in  [BLMR13,  BP14]  there  are  only  two  matrices  altogether.  This  is  sufficient  here  for  the  input  wires 
for  the  same  reason,  but  we  need  additional  matrices  to  encode  the  constraint  description. 
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This  handles  pseudorandomness  for  a  single  query,  but  not  for  the  case  of  adaptive  queries 
(since  we  can  only  use  the  pseudorandomness  of  (s7D  +  noise)  once).  To  handle  adaptive  queries 
we  embed  semantics  into  the  matrix  D  itself.  Namely,  D  =  Dx  will  be  derived  by  an  application  of 
the  universal  circuit  to  the  input  x  and  an  admissible  hash  function  h.  Admissible  hash  functions, 
introduced  by  Boneh  and  Boyen  [BB04] ,  allow  (at  a  very  high  level)  to  partition  the  input  space  such 
that  with  noticeable  probability  all  of  the  adaptive  queries  have  value  h{x)  =  0,  but  the  challenge 
query  will  have  h(x)  =  1.  This  means  that  in  the  proof  of  security,  we  can  hold  a  constrained 
key  for  h,  which  will  allow  us  to  compute  ( s 1  +  noise),  for  all  the  queries  of  the  adversary,  but 

leave  the  challenge  query  unpredictable  (to  make  it  pseudorandom,  we  will  multiply  in  the  end  by 
another  final  D').  This  concludes  the  security  argument  for  adaptive  queries. 

Key-Homomorphism.  As  we  mention  above,  key-homomorphism  follows  since  we  use  the  tem¬ 
plate  PRFs(x)  =  s1  Ax  +  noise.  We  note  that  the  existence  of  noise  means  that  homomorphism 
may  not  be  accurate  and  with  some  low  probability  (PRFs(x)  +  PRFs/(x))  will  only  be  close  to 
PRF  s+s'  (x)  and  not  identical.  However  this  property  is  sufficient  for  many  applications. 

We  point  out  that  our  constrained  keys  are  a  collection  elements  of  the  form  (s7  A j  +  noise), 
and  therefore  the  scheme  is  also  homomorphic  with  respect  to  constrained  keys,  i.e.  constrained 
keys  for  the  same  F  w.r.t  different  keys  s,  s'  can  be  added  to  obtain  a  constrained  key  w.r.t  s  +  s'. 

Reducing  the  Constrained  Key  Size.  From  the  above,  it  follows  that  the  constrained  key 
contains  1  +  2  vectors,  where  £  is  the  bit  length  of  a  description  of  F  relative  to  the  universal  circuit 
for  the  function  class.  Note  that  this  does  not  depend  directly  on  the  input  size  to  the  function. 
However,  indirectly  the  depth  of  the  universal  circuit  affects  the  modulus  q  that  needs  to  be  used. 

We  show  that  we  can  remove  the  dependence  on  £  altogether  using  an  ABE  scheme  with  short 
secret  keys,  such  as  that  of  [BGG+14].  To  do  this,  we  notice  that  for  each  constraint  function 
F,  the  adversary  gets  either  sTA,;  +  noise  or  sT(A *  —  G)  +  noise,  according  to  the  value  of  the 
bit  fi .  We  can  prepare  for  both  options  by  encrypting  both  vectors  using  the  ABE,  each  with  its 
own  attribute  (i,0)  and  (i,  1)  respectively.  All  of  these  encryptions,  for  all  i.  will  be  placed  in  the 
public  parameters.  Then  in  order  to  provide  a  constrained  key,  we  will  provide  an  ABE  secret  key 
for  the  function  that  takes  (i,  b )  and  returns  0  if  and  only  if  ft  =  b.  Given  this  key,  the  user  can 
decrypt  exactly  those  vectors  that  constitute  its  constrained  key.  Note  that  this  function  can  be 
computed  by  a  depth  0(log(£))  =  0(log(A))  circuit,  and  thus  the  size  of  the  secret  key  can  be  made 
asymptotically  independent  of  all  parameters  except  A,  e.g.  by  setting  the  parameters  to  support 
depth  log2  (A)  circuits. 


3  Preliminaries 

We  first  recall  some  background.  For  an  integer  modulus  q,  let  7Lq  =  Z/gZ  denote  the  ring  of 
integers  modulo  q.  For  an  integer  p  <  q,  we  define  the  modular  “rounding”  function 

[•]p  :  Zg  — >  Zp  that  maps  x  -+  [ (jp/q)  ■  x~\ 

and  extend  it  coordinate- wise  to  matrices  and  vectors  over  Zg.  We  denote  the  elements  of  the 
standard  basis  by  ui,  U2, . . .,  where  the  dimension  will  be  clear  from  the  context. 

We  denote  distributions  (or  random  variables)  that  are  computationally  indistinguishable  by 

Q 

X  ~  Y.  This  refers  to  the  standard  notion  of  negligible  distinguishing  gap  for  any  polynomial 
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time  distinguisher.  Our  reductions  preserve  the  uniformity  of  the  adversary  so  by  assuming  the 
hardness  of  our  assumption  for  uniform  adversary  we  get  security  for  our  construction  against 
uniform  adversaries,  and  likewise  for  non-uniform  assumptions  and  adversaries. 


The  Gadget  Matrix.  Let  l  =  [logg]  and  define  the  “gadget  matrix”  G  =  g(g>  In  G  Z™  XTrf  where 

g  =  (1)  2, 4, ,  2^_1)  €  Zg 


We  will  also  refer  to  this  gadget  matrix  as  the  “powers-of-two”  matrix.  We  define  the  inverse 
function  G_1  :  Z”xm  {0,  l}n^xm  which  expands  each  entry  a  G  Zg  of  the  input  matrix  into  a 
column  of  size  l  consisting  of  the  bit  decomposition  of  a.  We  have  the  property  that  for  any  matrix 


AgZ 


nxm 

Q 


G  •  G-1(A)  =  A 


Norms  for  Vectors  and  Matrices.  We  will  always  use  the  infinity  norm  for  vectors  and  matri¬ 
ces.  Namely  for  a  vector  x,  the  norm  ||s||  is  the  maximal  absolute  value  of  an  element  in  x.  Similarly, 
for  a  matrix  A,  ||A||  is  the  maximal  absolute  value  of  any  of  its  entries.  If  x  is  n-dimensional  and 
A  is  nxm,  then  1 1  x7  A 1 1  <  n  ■  ||x||  ■  ||A||.  We  remark  that  L\  or  L2  norms  can  also  be  used  and 
even  achieve  somewhat  tighter  parameters,  but  the  proofs  become  more  complicated. 


3.1  Constrained  Pseudorandom  Function:  Definition 

In  a  constrained  PRF  family  [BW13,  BGI14,  KPTZ13],  one  can  compute  a  constrained  PRF  key 
Kc  corresponding  to  any  Boolean  circuit  C .  Given  Kc ,  anyone  can  compute  the  PRF  on  inputs 
x  such  that  C(x)  =  0.  Furthermore,  Kq  does  not  reveal  any  information  about  the  PRF  values  at 
the  other  locations.  Below  we  recall  their  definition,  as  given  by  [BW13]. 

Syntax  A  constrained  pseudo-random  function  (PRF)  family  is  defined  by  a  tuple  of  algorithms 
(KeyGen,  Eval,  Constrain,  ConstrainEval)  where: 

•  Key  Generation  KeyGen(lA,  lfcin,  lfcout)  is  a  PPT  algorithm  that  takes  as  input  the  security 
parameter  A,  an  input  length  k-m  and  an  output  length  kout,  and  outputs  a  PRF  key  K\ 

•  Evaluation  Eval(A',  x)  is  a  deterministic  algorithm  that  takes  as  input  a  key  K,  a  string 
x  G  {0,  l}fcin  and  outputs  y  G  {0,  l}fcout; 

•  Constrained  Key  Generation  Constrain(/\,  C)  is  a  ppt  algorithm  that  takes  as  input  a 
PRF  key  I\ ,  a  circuit  C  :  {0,  l}fci"  — >  {0, 1}  and  outputs  a  constrained  key  Kc ; 

•  Constrained  Evaluation  ConstrainEval(/Gc,  x)  is  a  deterministic  algorithm  that  takes  as 
input  a  constrained  key  I\c  and  a  string  x  G  {0,  l}fcin  and  outputs  either  a  string  y  G  {0,  l}fcout 
or  _L. 

We  define  the  notion  of  (single  key)  selective-function  security  for  constrained  PRFs. 

Definition  3.1.  A  family  of  PRFs  (KeyGen,  Eval,  Constrain,  ConstrainEval)  is  a  single-key  selective- 
function  constrained  PRF  (henceforth,  referred  to  simply  as  constrained  PRF)  if  it  satisfies  the 
following  properties: 
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•  Functionality  computationally  preserved  under  constraining.  For  every  ppt  adver¬ 
sary  (Aq,A\),  consider  an  experiment  where  we  choose  K  <—  KeyGen(lA,  lfcin,  lfcout),  (C,ao) 

Aq ( 1 A) ,  and  Kc  A-  Constrain(/i,  C).  Then: 

\  C(x*)  =  0  A 

1  [  x*  <-  Af/ai<'K,'\lx,Kc,<Jo);  '■  Eval(iv,x*)  ConstrainEval(Rc,  x*) 

is  negligible  in  the  security  parameter,  where  C,  K ,  Kc  are  selected  as  described  above. 

In  words,  it  is  computationally  hard  to  find  an  x*  such  that  C(x*)  =  0,  and  yet  the  result  of 
the  constrained  evaluation  differs  from  the  actual  PRF  evaluation. 

•  Pseudorandom  at  constrained  points.  For  every  ppt  adversary  (Ao,  A ,  A-fi,  consider  an 

experiment  where  K  KeyGen(lA,  lfcin,  (C,ao)  -c—  Ao(1a),  and  Kc  Constrain (K,  C). 

Then: 


Pr 


b  <r-  {0, 1}; 

(x*,ai)  <r-  Af'a'{K''\lx,Kc,<Jo); 
If  b  =  0,  y*  =  Eva  I  (A,  x*), 

Else  y*  {0,  l}fe°ut 


C(x*)  =  1  A 

,o-i)  =  b 


<  2  +  neg!(A) 


The  correctness  and  security  properties  could  potentially  be  combined  into  one  game,  but  we  choose 
to  present  them  as  two  distinct  properties  for  the  sake  of  clarity. 


3.2  Learning  with  Errors 

The  Learning  with  Errors  (LWE)  problem  was  introduced  by  Regev  [Reg05]  as  a  generalization 
of  “learning  parity  with  noise”  [BFKL93,  Ale03].  We  now  define  the  decisional  version  of  LWE. 
(Unless  otherwise  stated,  we  will  treat  all  vectors  as  column  vectors  in  this  paper). 

Definition  3.2  (Decisional  LWE  (DLWE)  [Reg05]).  Let  A  be  the  security  parameter,  n  =  n(X), 
m  =  m{\),  and  q  =  q( A)  be  integers  and  x  =  x(^)  a  probability  distribution  over  Z.  The 
DLWEn^iX  problem  states  that  for  all  m  =  poly(n),  letting  A  •(—  Z”xm,  s  Z”,  e  •(—  ym,  and 
u  Z^*,  the  following  distributions  are  computationally  indistinguishable: 

(A,  s1  A  +  eT)  «  (A,  uT ) 

There  are  known  quantum  (Regev  [Reg05])  and  classical  (Peikert  [Pei09])  reductions  between 
DLWEn,9.x  and  approximating  short  vector  problems  in  lattices.  Specihcally,  these  reductions  take 
X  to  be  a  discrete  Gaussian  distribution  Di,ag  for  some  a  <  1.  We  write  DLWEnj(?)a  to  indicate 
this  instantiation.  We  now  state  a  corollary  of  the  results  of  [Reg05,  Pei09,  MM11,  MP12],  These 
results  also  extend  to  additional  forms  of  q  (see  [MM11,  MP12]). 

Corollary  3.1  ([Reg05,  Pei09,  MM11,  MP12]).  Let  q  =  q(n)  €  N  be  either  a  prime  power  q  =  pr , 
or  a  product  of  co-prime  numbers  q  =  n  Qi  such  that  for  all  i,  qi  =  poly(n),  and  let  a  >  y/n/q.  If 
there  is  an  efficient  algorithm  that  solves  the  (average-case)  DLWEni?jCt  problem,  then: 

•  There  is  an  efficient  quantum  algorithm  that  solves  GapSVP^^^  (and  SIVPq,  ,  on  any 
n-dimensional  lattice. 
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•  If  in  addition  q  >  0(2n/2),  there  is  an  efficient  classical  algorithm  for  GapSVP^^^  on  any 
n-dimensional  lattice. 

Recall  that  GapSVP7  is  the  (promise)  problem  of  distinguishing,  given  a  basis  for  a  lattice  and 
a  parameter  d,  between  the  case  where  the  lattice  has  a  vector  shorter  than  d,  and  the  case  where 
the  lattice  doesn’t  have  any  vector  shorter  than  7  •  d.  SIVP  is  the  search  problem  of  finding  a  set 
of  “short”  vectors.  The  best  known  algorithms  for  GapSVP7  ([Sch87])  require  at  least  2^(n/log7) 
time.  We  refer  the  reader  to  [Reg05,  Pei09]  for  more  information. 

In  this  work,  we  will  only  consider  the  case  where  q  <  2n.  Furthermore,  the  underlying  security 
parameter  A  is  assumed  to  be  polynomially  related  to  the  dimension  n. 

3.3  One-Dimensional  Short  Integer  Solution  (SIS)  and  Variants 

We  present  a  special  case  of  the  well  known  Short  Integer  Solution  (SIS)  problem  [Ajt96] . 

Definition  3.3.  The  One- Dimensional  Short  Integer  Solution  problem,  denoted  lD-SIS^m^,  is  the 
following  problem.  Given  a  uniformly  distributed  vector  v  E-  Z find  z  E  Zm  such  that  ||z||  <  t 
and  also  (v,  z)  E  [— t,  t]  +  qL. 

For  appropriately  chosen  moduli  q,  the  lD-SISg)m)t  problem  is  as  hard  as  worst-case  lattice 
problems.  This  follows  from  the  techniques  in  the  classical  worst-case  to  average-case  reduction  of 
Ajtai  [Ajt96] .  We  state  below  the  version  due  to  Regev  [Reg04], 

Corollary  3.2  (Section  4  in  [Reg04]  and  Proposition  4.7  in  [GPV07]).  Let  n  E  N  and  q  =  \\i&nPi, 
where  all  p\  <  P2  <  ■  ■  ■  <  pn  are  co-prime.  Let  m  >  c  ■  n\ogq  (for  some  universal  constant  c). 
Assuming  that  p±  >  t  ■  co(y/mn  logn),  the  one- dimensional  SIS  problem  lD-SISqirr)7  is  at  least  as 
hard  as  SIVP,  .  and  GapSVP,  , . 

Proof.  The  hardness  of  a  closely  related  problem  is  established  by  combining  the  techniques  in 
[Reg04,  Section  4]  and  [GPV07,  Proposition  4.7]:  Given  a  E-  Z™+1,  find  y  with  ||y||  <  t  such  that 
(a,  y)  =  0  (mod  q). 

We  now  show  how  to  convert  an  instance  for  this  problem  into  an  instance  of  ID-SIS.  Given  an 
instance  a  E  Z™+1,  we  consider  the  first  component  ai.  If  this  element  is  not  a  unit  (i.e.  invertible) 
in  Z9,  then  the  reduction  aborts.  Otherwise  it  defines  v  =  af1  ■  [02,  •  •  •  ,am+ 1].  Given  a  solution 
z  for  ID-SIS  on  input  v,  we  define  y  by  letting  y  =  [—  (v,  z),  x\, . . . ,  xm\.  It  is  easy  to  verify  that 
(a,  y)  =  01  •  (— (v,  z)  +  (v,z))  =  0  (mod  q).  Further,  by  definition,  ||y||  <  t.  □ 

Next,  we  define  a  related  problem  which  will  be  useful  for  our  reductions. 

Definition  3.4.  Let  q  =  p  ■  \\i£nPi,  where  all  p±  <  P2  <■■■<  pn  are  all  co-prime  and  co-prime 

$ 

with  p  as  well.  Further  let  m  E  N.  The  lD-SIS-R^p^m  problem  is  the  following:  Given  v  e-  Z™, 
find  z  E  Zm  with  ||z||  <  t  such  that  (v,  z)  E  [— t,  t\  +  (q/p) Z. 

The  following  corollary  establishes  the  hardness  of  1D-SIS-R  based  on  ID-SIS. 

Corollary  3.3.  Let  q,p,t,m  be  as  in  Definition  3.f.  Then  lD-SIS-R9iP)tiTn  is  at  least  as  hards  as 
lD-SIS,/P)t)m. 
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Proof.  The  reduction  works  in  the  obvious  way:  Given  an  input  v  e  for  lD-SISg/Pjtjm,  we 
embed  v  in  v'  6  Z™,  using  CRT  representation.  Namely  v'  =  v  (mod  q/p)  and  v'  =  r  (mod  p), 

where  r  A  Z™.  Then  given  a  solution  z  for  lD-SIS-R<jjP)tjm  with  input  v',  we  claim  that  z  is 
also  a  solution  for  lD-SISg/p^m  with  input  v.  This  follows  since  by  definition  ||z||  <  t,  and  since 
(v,z)  =  (v/,z)  (mod  q/p).  □ 

3.4  Admissible  Hash  Functions 

The  concept  of  admissible  hash  functions  was  defined  by  Boneh  and  Boyen  [BB04]  to  convert 
selectively  secure  identity  based  encryption  (IBE)  schemes  into  fully  secure  ones.  In  this  paper, 
we  use  admissible  hash  functions  for  our  PRF  construction.  Our  definition  of  admissible  hash 
functions  below  will  follow  that  of  Cash,  Hofheinz,  Kiltz  and  Peikert  [CHKP12]  with  minor  changes 
(in  particular,  note  that  we  do  not  require  that  the  bad  set  is  efficiently  recognizable). 

Definition  3.5  ([BB04,  CHKP12]).  Let  Li  =  {H\}\  be  a  family  of  hash  functions  such  that 
LL\  ^  ({0,1}*  —>  {0,1}*)  for  some  l  =  £(X).  We  say  that  LL  is  a  family  of  admissible  hash 
functions  if  for  every  H  G  LL  there  exists  a  set  bad//  of  “bad  string-tuples”  such  that  the  following 
two  properties  hold: 

1.  For  every  PPT  algorithm  A,  there  is  a  negligible  function  v  such  that 

Pr[(x(0), . . . ,  xW)  €  bad//  |  H  <-  LL\,  (x(0), . . . ,  x(f))  <-  A(l\  H)j  <  i/(A) 
where  the  probability  is  over  the  choice  of  H  <—  LL\  and  the  coins  of  A. 

2.  Let  C  =  {0, l}2^,  and  for  all  L  e  C  define  PR  :  {0, 1 Y  —>  {0, 1}  to  be  the  string  comparison 
with  wildcards  function.  Namely,  write  L  as  a  pair  of  strings  (a,  /3)  €  {0, 1  }*,  and  define 

nL=(a,/ 3)(w)  =  1  ^  Vi  £  [t]  ((a/  =  0)  V  (/3i  =  Wi ))  . 

Intuitively,  II  is  a  string  comparison  function  with  wildcards.  It  compares  w  and  (3  only  at 
those  points  where  a/  =  1.  Note  that  this  representation  is  somewhat  redundant  but  it  will  be 
useful  for  our  application. 

Then,  we  require  that  for  every  polynomial  t  =  t( A)  there  exists  a  noticeable  function  Af(A) 
and  an  efficiently  sampleable  distribution  Ct  over  C  such  that  for  every  H  e  LL\  and  sequences 
(. x , . . . ,  x® )  bad//  with  ^  {x^\  . . . ,  x^},  we  have: 

Pr  [ UL(H{x (0)))  A  Ul(H(xW))  A  •  •  •  A  nL(ET(xW))]  >  At(A) 

L<—Ct 

It  has  been  shown  by  [BB04]  that  a  family  of  admissible  hash  functions  can  be  constructed 
based  on  any  collision  resistant  hash  function.  In  particular  one  can  instantiate  it  based  on  the  SIS 
problem  (for  virtually  any  parameter  setting  for  which  the  problem  is  hard) ,  which  is  at  least  as  hard 
as  LWE.  Therefore  throughout  this  manuscript  we  assume  the  existence  of  an  LWE-based  family 
of  admissible  hash  functions,  which  will  not  add  an  additional  assumption  to  our  construction. 
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3.5  Attribute-Based  Encryption 

We  define  (leveled)  attribute-based  encryption,  following  [GPSW06,  GVW13].  An  attribute-based 
encryption  scheme  for  a  class  of  predicate  circuits  C  (namely,  circuits  with  a  single  bit  output) 
consists  of  four  algorithms  (ABE. Setup,  AST.KeyGen,  ABE. Enc,  ABE. Dec). 

A£>£.Setup(l'\  l/,  ld)  — >  (pp,  msk)  :  The  setup  algorithm  gets  as  input  the  security  parameter  A, 
the  length  i  of  the  attributes  and  the  maximum  depth  of  the  predicate  circuits  d,  and  outputs 
the  public  parameter  (pp,  mpk),  and  the  master  key  msk.  All  the  other  algorithms  get  pp  as 
part  of  their  input. 

AU3£.KeyGen(msk,  C)  — >  skc  :  The  key  generation  algorithm  gets  as  input  msk  and  a  predicate 
specified  by  C  E  C  (of  depth  at  most  d ).  It  outputs  a  secret  key  ( C ,  skc). 

A£>£.Enc(pp,  x,  m)  — >  ct  :  The  encryption  algorithm  gets  as  input  mpk,  attributes  x  E  {0, 1}^  and 
a  message  m  E  M.  It  outputs  a  ciphertext  (x,  ct). 

ABE.Dec((C,  skc),  (x,  ct))  — >  m  :  The  decryption  algorithm  gets  as  input  a  circuit  C  and  the 
associated  secret  key  skc,  attributes  x  and  an  associated  ciphertext  ct,  and  outputs  either  _L 
or  a  message  m  E  M. 

Correctness.  We  require  that  for  all  £,d,  all  (x,  C)  such  that  x  E  {0, 1}^,  C  has  depth  at  most 
d  and  C(x)  =  1,  for  all  (pp,msk)  E-  ABE. Setup(lA,  l£Ad),  all  skc  •<—  Ai3£’.KeyGen(msk,  C),  all 
ct  ABE. Enc(pp,  x,  m),  and  all  m  E  A4, 

Dec((C,  skc),  (x,  ct))  =  m)  . 


Security  Definition.  We  define  selective  security  of  ABE,  which  is  sufficient  for  our  purposes. 
We  allow  the  adversary  to  make  multiple  challenge  message  queries,  which  is  equivalent  to  the 
single  query  case  but  will  be  easier  for  us  to  work  with. 


Definition  3.6. 


For  a  stateful  adversary  A,  we  define  the  advantage  function  Adv^SB  to  be 


Pr 


b  =  b'  : 


b  <(—  {0, 1}; 

xi, . . .  ,xQ  e-  A(l\  ld); 

(pp,  msk)  AB£.Setup(lA,  1£,  ld); 
{(mo,i,mM)}ie[Q]  E-  A-4B£-KeyGen(msk’')(pp),Vi.|m0,j 
ct*  E-  AST.Enc(pp,x*,mfeij); 
b'  E-  ^AB£:.KeyGen(msk,.)(cti)  ;  ctQ) 


1 

2 


with  the  restriction  that  all  queries  C  that  A  makes  to  A£>£.KeyGen(msk,  •)  satisfies  C(x*)  =  0  for 
all  i  (that  is,  skc  does  not  decrypt  the  ciphertext  corresponding  to  any  of  the  x* ).  An  attribute-based 
encryption  scheme  is  selectively  secure  if  for  all  PPT  adversaries  A,  the  advantage  is  a 

negligible  function  in  A. 

We  will  use  a  special  type  of  attribute-based  encryption  scheme  with  succinct  keys,  namely  one 
where  |skc|  does  not  grow  with  the  size  of  the  circuit  C,  but  rather  only  its  depth. 
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Theorem  3.4  ([BGG+14]).  Let  X  be  the  security  parameter,  and  d  E  N.  Let  n  =  n(X,d),  q  = 
q(X,d)  =  n°(d> ,  and  let  x  be  a  poly (n) -bounded  error  distribution.  Then,  there  is  a  selectively 
secure  ABE  scheme  for  the  class  of  depth-d-bounded  circuits,  based  on  the  hardness  of  DLWE„j?iX. 
Furthermore,  the  secret  key  skc  for  a  circuit  C  has  size  poly(A,  n,  d). 

4  Embedding  Circuits  into  Matrices 

In  this  section,  we  present  the  core  techniques  that  we  use  in  our  construction.  In  essence,  we  use 
a  method,  developed  in  a  recent  work  by  Boneh  et  al.  [BGG+14]  to  “embed”  bits  x\, ...  ,Xk  into 
matrices  Ai, . . . ,  A*,  and  compute  a  circuit  F  on  these  matrices.  This  is  done  through  a  pair  of 
algorithms  (ComputeA,  ComputeC)  satisfying  the  following  properties: 

1.  The  deterministic  algorithm  ComputeA  takes  as  input  a  circuit  F  :  {0,  l}fc  — >  {0, 1}  and  k 
matrices  Ai, . . . ,  A*,,  and  outputs  a  matrix  A^;  and 

2.  The  deterministic  algorithm  ComputeC  takes  as  input  a  bit  string  x  =  {x\, . . .  ,Xk)  €  {0,  l}fc, 
and  k  LWE  samples  sT(A j  +  XjG)  +  e*,  and  outputs  an  LWE  sample  sT(Ap  +  Ffx)  •  G)  + 
associated  to  the  output  matrix  A^  and  the  output  bit  F(x). 

These  algorithms  are  closely  modeled  on  the  work  of  Boneh  et  al.  [BGG+14],  We  now  describe  how 
these  algorithms  work,  and  what  their  properties  are. 

The  Algorithm  ComputeA.  Given  a  circuit  F,  input  matrices  Ai,...,Afc  (corresponding  to 
the  k  input  wires)  and  an  auxiliary  matrix  Ao,  the  ComputeA  procedure  works  inductively,  going 
through  the  gates  of  the  circuit  F  from  the  input  to  the  output.  Assume  without  loss  of  generality 
that  the  circuit  F  is  composed  of  NOT  and  AND  gates.  For  every  AND  gate  g  =  {u,  v;  w),  assume 
inductively  that  we  have  computed  matrices  Au  and  Av  for  the  input  wires  u  and  v.  Define 

Aw  =  Au  •  G  (A-y) 

For  every  NOT  gate  g  =  ( u;w ),  define 

Aw  =  Ao  Au 

The  Algorithm  ComputeC.  Given  a  circuit  F,  an  input  x  6  {0,  l}fc  and  LWE  samples  (Aj,yj), 
the  ComputeC  algorithm  works  as  follows.  For  each  AND  gate  g  =  ( u,v;w ),  assume  that  we  have 
computed  LWE  samples  ( Au,yu )  and  (Av,yv)  for  the  input  wires  u  and  v.  Define 

yw  =  xu  ■  yv  -  yu  ■  G-1(A,U) 

where  xu  and  xv  are  the  bits  on  wires  u  and  v  when  evaluating  the  circuit  F  on  input  x.  For  every 
NOT  gate  g  =  (u;w),  define 

yw  =  yo~  yu 

We  will  need  the  following  lemma  about  the  behavior  of  ComputeA  and  ComputeC.  (We  remind 
the  reader  that  we  use  1 1  •  1 1  to  denote  the  norm) . 
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Lemma  4.1.  Let  F  be  a  depth-d  Boolean  circuit  on  k  input  bits,  and  let  x  G  {0,  l}fe  be  an  input. 

Let  Ao,  Ai, . . . ,  A,t  G  Z”xm  and  yo, . . . ,  y &  G  Z™  6e  swc/i  that 

|  |y»  -  s7  (Ai  +  XjG)||  <5  for  i  =  0,1,...,  k. 

for  some  s  G  Z”  and  B  =  B( A).  Let  Ap  <—  ComputeA(F,  Ao, . . . ,  A*,)  and yF  •(—  ComputeC(F,  x,  Ao, . . . ,  A*.,  yo,  •  • 
Then,  | |yjr  —  sr(A p  +  F(x)  •  G)||  <  •  B. 

Furthermore,  yp  is  a  “low-norm”  linear  function  of  yo, • •  • ,  y&-  That  is,  there  are  matrices  Zo, . . . ,  Z  j~ 

(which  depend  on  the  function  F,  the  input  x,  and  f/ie  input  matrices  Aq,  . . . ,  A^)  such  that 
yF  =  V-'  „y;Z;  and  ||Z;||  <  m 0(d)  •  B. 

Proof.  We  show  this  by  induction  on  the  levels  of  the  circuit  F,  starting  from  the  input.  Consider 
two  cases. 


AND  gate.  Consider  an  AND  gate  g  =  (u,  v;  w)  where  the  input  wires  are  at  level  L,  and  assume 
that  yu  =  sT  (Au  +  xuG)  +  eu  and  y„  =  sr(Ay  +  xvG)  +  ev,  with  ||eu||,  ||ey||  <  (m+  l)L  ■  B.  Now, 

yw  =  xu-  yv  -  yu  •  G_1(Ay) 

=  xu  ■  (sr(Ay  +  xvG)  +  ey)  —  (Au  +  xuG)  +  eM^  •  G  1(Ay) 

—  s  ^xuAv  +  xuxvG  AUG  (Ay)  xuAp^  -t-  ^  cyG  (Ay)  xye, 

—  s  (Aw  -)-  xwG)  "F  ew 

where  A^  =  —  Au  •  G_1(Ay),  xw  =  xuxv,  and 

||e,„||  <  m  •  ||eu||  +  ||e„||  <  (m  +  1)  •  ( m  +  1)L  •  B  <  (m  +  1)L+1  •  B 

NOT  gate.  In  a  similar  vein,  for  a  NOT  gate  g  =  (u;  w),  assume  that  yu  =  sT(Au  +  xuG)  +  eu, 
with  ||eu||  <  (m  +  1)L  ■  B.  Then, 

yw  =  yo  -  yu  =  s1  (Ao  +  G  -  AM  -  xyG)  +  (e0  -  eu) 

—  s  (Aw  -p  (1  xy)G)  -{-  ew 

where  Aw  =  Ao  —  Au,  xw  =  1  —  xu,  and 

||ew||  <  1 1 e0 1 1  +  ||eu||  <  B  +  (m  +  1)L  •  B  <  (m  +  1)L+1  ■  B 

Thus,  yF  =  sTAp  +  e^  where  ||e^||  <  m°^  ■  B.  Furthermore,  both  transformations  are  linear 
functions  on  yu  and  y„,  as  required.  □ 


5  Constrained  PRF 

5.1  Construction 

A  family  of  functions  T  C  ({0, 1}*  — >  {0, 1})  is  z- uniform  if  each  function  F  G  F  can  be  described 
by  a  string  in  {0, 1}Z  (we  associate  F  with  its  description),  and  there  exists  a  uniform  circuit 
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family  { Uk}keN  such  that  Uk  :  {0,  l}2  x  {0,  l}fe  —¥  {0, 1}  such  that  for  all  x  E  {0,  l}fc  it  holds  that 
U}.{F,  x)  =  F(x).  We  assume  for  the  sake  of  simplicity  that  the  depth  of  Uk  grows  monotonically 
with  k  and  for  all  d  we  let  kj  to  be  the  maximal  input  size  for  which  Uk  has  depth  at  most  d.  We 
define  Fd  to  be  such  that  F  E  F  is  undefined  for  inputs  of  length  k  >  kd-  We  call  such  a  family 
(i-depth-bounded. 

Our  constrained  PRF  for  a  ^-uniform  d-depth-bounded  family  F  works  as  follows. 

•  KeyGen(l\  l2,  ld):  The  key  generation  algorithm  takes  as  input  the  maximum  size  z  and 
depth  d  of  the  constraining  circuits.  Let  H  be  a  family  of  admissible  hash  functions  (see 
Section  3.4)  and  let  l  =  £(X)  be  the  output  length  of  hash  functions  in  the  family. 

Let  n  =  n(X,d),  q  =  q(X,d),  p  =  p(X,d)  be  parameters  chosen  as  described  in  Section  5.2 
below,  let  m  =  n  \ log  q] . 

Generate  z+ 2i+3  matrices  as  follows:  let  Ao  and  Ai  be  the  “input  matrices”,  let  Bi,  Bo, . . . ,  B- 
be  the  “function  matrices”,  let  Ci,. . . ,  C2  e  be  the  “partitioning  matrices”,  and  let  D  be  an 
“auxiliary  matrix”.  All  of  these  matrices  are  uniform  in  Z”xm  (note  that  the  “gadget  matrix” 

G  has  the  same  dimensions).  In  addition  sample  an  admissible  hash  function  H  E-  T-L\. 

The  public  parameters  consist  of 

VV  =  (H,  Ao,  Ai,  Bi, . . . ,  Bz,  Ci, ... ,  C2g,  D) 

The  seed  of  the  PRF  is  a  uniformly  random  vector  s  E  Z”. 

•  Eval(s,  VV,  x)  takes  as  input  the  PRF  seed  s,  the  public  parameters  VV,  and  an  input  x  E 
{0,  l}fc  such  that  k  <  kd  (i.e.  Uk  is  of  depth  <  d),  and  works  as  follows. 

Recall  that  Uk  :  {0,1}2  x  {0, 1  }fc  — >  {0,1}  is  the  universal  circuit  that  takes  a  description  of 
a  function  F  and  an  input  x  and  outputs  Uk(F,  x )  =  F(x).  Let  II  :  {0, 1}2(  X  {0, 1}£  — >  {0, 1} 
denote  the  circuit  that  computes  II(L,u;)  =  lit, (to)  from  Definition  3.5.  Note  that  II  can  be 
implemented  by  a  binary  circuit  of  depth  log(f)  +  0(1). 

Let  (cci, . . . ,  Xk)  denote  the  bits  of  x.  Let  w  =  H(x),  and  let  w\,. . .  ,wg  be  its  bits.  Compute 

B  u  ^  Compute  A  (Uk ,  B^ , . . . ,  B  z,  A.^ ,  A^,, , . . . ,  AXfe)  (1) 

Cn  ComputeA(n,  Ci, . . . ,  C2^,  AW1,AW2, . . . ,  Awe)  (2) 

and  output 

PRFs(x)  =  [stBw  •  G_1(Cn)  •  G-^DJlp 

•  Constrain(s,  VV,  F )  takes  as  input  the  PRF  key  s  and  a  circuit  F  (of  size  at  most  z)  and  does 
the  following.  Compute 

a b  =  (Aft  +  b  •  G)  +  ei  b  E  Z™  for  b  E  {0, 1} 
bj  =  sT(Bf  +  fi  ■  G)  +  G  Z™  for  all  i  E  [z] 

where  the  vectors  e  are  drawn  from  an  error  distribution  x  to  be  specified  later  (in  Section  5.2). 
The  constrained  seed  Kp  is  the  tuple  (ao,  ai,  bi, . . . ,  bj)  E  (Z^)2+2. 
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•  Constrain  Eva  I  (ii^,  W,  x)  takes  as  input  the  constrained  key  Kp  and  an  input  x.  It  computes 
b  u,x  ComputeC  (bi, . . .  ,bz,axi, . .  .,aXk),  (/i,  ...,fz,x  i, . .  .,xk) 

and  outputs  [b^x  •  G_1(Cn)  •  G_1(D)~|p,  where  Cn  is  defined  as  above. 

5.2  Setting  the  Parameters 

Let  us  start  by  providing  a  typical  parameter  setting,  and  then  explain  how  parameters  can  be 
modified  and  the  effect  on  security. 

Consider  setting  n( A,  d)  =  (A  •  d)c,  for  a  constant  c  that  will  be  discussed  shortly.  We  will 
set  x  to  be  a  discrete  Gaussian  distribution  Dzjaq  s.t.  aq  =  Q(y/n).  We  define  n!  =  A  and  let 
Pi,  ■  ■  ■  ,pn '  =  77i°(rf+log^)  be  all  primes,  and  p  =  poly(A)  (in  fact,  there  is  a  lot  of  freedom  in  the 
choice  of  p,  and  it  can  be  as  large  as  m°(d+los^)  under  the  same  asymptotic  hardness).  Finally,  let 

q  =  p  ■  (aq)  ■  n,e[n']  Pi  =  mn' '°(d+log^  =  =  2<^"1/c)  (recall  that  l  =  poly(A)). 

This  parameter  setting  translates  into  a  PRF  with  m  =  n  [log  q]  •  ©(log  A)  output  bits  per  input, 
whose  security  is  based  (as  we  show  in  the  next  section)  on  the  hardness  of  approximating  lattice 
problems  to  within  a  factor  of  2°(nl/c). 

Taking  larger  values  of  c  will  increase  the  hardness  of  the  underlying  lattice  problem,  but  at 
the  cost  of  considerably  increasing  the  element  sizes. 

5.3  Security 

Throughout  this  section,  we  let  T  be  a  family  of  ^-uniform  functions  and  let  d  be  a  depth  bound 
(both  can  depend  on  A).  We  let  n  =  n(X,d),  m  =  m(X,d),  q  =  q(X,d),  p  =  p(X,d)  and  the  noise 
distributions  %  =  %(A,  d)  be  as  defined  in  Section  5.2.  We  let  Fi  be  the  family  of  admissible  hash 
functions  as  described  in  Section  3.4,  with  range  {0, l}e. 

Theorem  5.1.  Let  T  be  a  family  of  z-uniform  functions  and  let  d  be  a  depth  bound  (both  can  depend 
on  X).  Let  n  =  n( A,  d),  m  =  m( A,  d),  q  =  q( A,  d),  p  =  p( A,  d)  and  the  noise  distributions  x  =  x(A,  d) 
be  as  defined  in  Section  5.2.  Further  let  rn!  =  m  -  (z  +  21  +  3),  and  7  =  uj(y/n  log  A)  •  p  ■  m°^d+log^ . 
Assuming  the  hardness  of  DLWEn](?!X,  lD-SIS-RgjPi7!m/  and  the  admissible  hash  function  family 
FL,  the  scheme  CP1ZF  =  (KeyGen,  Eval,  Constrain,  ConstrainEval)  is  a  single-key  secure  selective- 
function  secure  constrained  PRF  for  T . 

We  note  that  the  hardness  of  all  three  assumptions  translates  to  the  worst  case  hardness  of 
approximating  lattice  problems  such  as  GapSVP  and  SIVP  to  within  sub-exponential  factors. 

Proof.  Let  A  be  a  PPT  selective-constraint  adaptive-input  adversary  against  CVTZFZtd-  Let  t  = 
poly  (A)  be  the  (polynomial)  number  of  input  queries  made  by  A  (w.l.o.g).  Let  e  be  the  advantage 
of  A  in  the  constrained  PRF  game.  We  let  B  =  aq-  w(\/  log  A).  It  holds  that  with  all  but  negligible 
probabilities,  all  samples  that  we  take  from  x  wdl  have  absolute  value  at  most  B.  For  the  duration 
of  the  proof  we  assume  that  this  is  indeed  the  case. 

The  proof  will  proceed  by  a  sequence  of  hybrids  (or  experiments)  where  the  challenger  samples 
a  bit  b  €  {0, 1}  and  interacts  with  A.  We  let  Advn(Al)  denote  the  probability  that  A  outputs  b  in 
hybrid  H. 
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Hybrid  H0.  This  hybrid  is  the  legitimate  constrained  PRF  security  game.  The  challenger  gen¬ 
erates  (s,PP)^KeyGen(l\D,ld).  It  gets  F  E  {0, 1}^  from  A  and  produces  a  constrained  key 
Kp<—  Constrain(s,  W,  F).  It  then  sends  VP.  Kg-  to  A.  At  this  point  A  adaptively  makes  queries 
E  {0,1}*,  and  the  challenger  computes  j/Wf- Eval(s,  VP,  x^)  and  returns  it  to  A.  Finally,  A 
outputs  x*  E  {0,1}*.  If  b  =  0  then  the  challenger  returns  y*<—  Eval(s,  VP,  x*),  and  if  b  =  1  it 
returns  a  random  y*.  Therefore,  we  have 

AdvH()(Al)  >  1/2  +  e  . 

Hybrid  This  is  the  notorious  “artificial  abort”  phase.  Let  A t  =  Af(A)  be  the  noticeable 

function  from  Definition  3.5.  This  hybrid  is  identical  to  the  previous  one,  except  in  the  last  step 
the  challenger  flips  a  coin  and  with  probability  1  —  At/2  aborts  the  experiment  (hence  giving  the 
adversary  no  information  on  b). 

The  adversary’s  advantage  thus  degrades  appropriately: 

AdvHl  (A)  >  (At/2)  •  (1/2  +  e)  +  (1  -  At/2)  •  (1/2)  =  1/2  +  e  •  At/2  . 


Hybrid  H2.  In  this  hybrid,  we  associate  some  meaning  with  the  artificial  abort.  Intuitively,  the 
abort  will  be  associated  with  a  failure  of  the  admissible  hash  function  to  partition  the  queries 
correctly.  We  are  guaranteed  that  correct  partitioning  happens  with  probability  >  A t  (except  for 
sequences  that  are  hard  to  generate),  but  we  would  like  to  make  it  (almost)  exactly  At/2  so  as  to 
not  correlate  the  adversary’s  success  probability  with  the  string  L  (the  loss  of  the  2  factor  is  due 
to  probability  estimation). 

Specifically,  in  this  hybrid,  rather  than  flipping  a  coin  at  the  end  of  the  experiment,  the  chal¬ 
lenger  does  the  following.  For  all  x  =  (x^\ . . . ,  x*) ,  we  define  the  event  GoodPartition^  to 

be  the  event  in  which  Ul{H (a/1)))  =  •••  =  II i(H(x^))  =  0  and  II l(H(x*))  =  1,  and  define 
5g  =  Pr  $  [Good Partition^  The  challenger  will  first  compute  an  estimate  5g  of  5g  by  sam- 

pling  multiple  values  of  L  from  Ct  and  using  Chernoff  (both  additive  and  multiplicative).  Using 
poly(A)-many  samples  we  can  compute  5g  such  that 


Pr 


>  At/ 4 


<  2~x  . 


and  in  addition  if  8g  >  At/2  then 


Pr 


>  e/2 


<  2~x  . 


The  challenger  will  then  perform  as  follows:  (i)  It  first  verifies  that  8g  >  |A t,  and  aborts  if  this 

is  not  the  case,  (ii)  It  then  samples  L  4—  Ct.  and  aborts  if  Good  Partition,^  did  not  occur  (note  that 
by  our  definitions  above,  this  happens  with  probability  1  —  5g  over  the  choice  of  L).  (Hi)  Then  it 

flips  a  coin  with  probability  anci  aborts  if  the  outcome  is  1.  Otherwise  it  carries  out  the 

experiment  towards  completion. 

To  analyze  the  effect  on  the  success  probability,  we  first  notice  that  the  probability  that  fig  <  |  A t 
(abortion  is  step  (i))  is  negligible.  This  is  since,  except  with  2-A  probability,  this  indicates  that 
8g  <  At,  which  implies  that  x  E  bad//.  Definition  3.5  guarantees  that  this  happens  with  probability 
at  most  z/(A)  =  negl(A). 
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If  the  above  abort  did  not  occur,  we  know  that  >  A*/2  (except  with  probability  2  A),  we 
first  notice  that  the  total  probability  of  abort  in  steps  (■ ii )  +  (in) 

1  -6g  +  63-  ^  ~:A*/2  =  1  -  Y-At/2  G  [(1  -  At/2)  -  eAt/4,  (1  -  At/2)  +  eAt/4] 

It  therefore  follows  that  if  there  was  no  abort  in  step  (i),  then  the  adversary’s  view  in  H2  is 
within  statistical  distance  2~x  +  eAj/4  from  its  view  in  Hi. 

Putting  all  steps  together,  we  get  that 

AdvH2(-4)  >  1/2  +  e  •  At/2  -  u(X)  -  0( 2~x)  -  eAt/A  =  1/2  +  e  •  At/A  -  negl(A)  . 

Hybrid  H3.  In  this  hybrid,  the  challenger  first  samples  Lf-£(,  and  then,  for  each  a/ 4  in  turn, 
it  checks  whether  II l(H(x^))  =  0,  and  immediately  aborts  if  not.  Similarly,  upon  receiving  x*,  it 
checks  whether  Hp(H(x*))  =  1  and  immediately  aborts  if  not.  Otherwise  it  continues  the  same  as 

h2. 

It  is  rather  straightforward  to  see  that  the  A’s  advantage  does  not  change.  The  cases  in  which 
we  abort  are  exactly  the  same  as  the  ones  in  the  previous  hybrid  (since  it  is  sufficient  that  a  single 
x ®  does  not  give  the  required  value  in  order  to  abort).  Further,  the  sampling  of  L  has  been 
completely  independent  of  all  the  other  randomness  in  the  experiment  so  it  might  as  well  happen 
in  the  beginning.  We  conclude  that 

AdvH3(-4)  =  AdvH2(-4)  >  1/2  +  e  •  At/4  -  negl(A)  . 

Hybrid  H4.  In  this  hybrid,  the  challenger  changes  the  way  the  matrices  A,B,C  are  generated. 
Recall  that  our  security  game  is  constraint-selective,  namely  A  produces  the  constraint  F  before 
seeing  the  public  parameters. 

Therefore,  here,  the  challenger  waits  until  receiving  F  from  A  and  only  generates  the  public 
parameters  at  that  point  (note  that  by  then  L  has  also  been  specified).  To  generate  the  public 
parameters,  the  matrix  D  is  produced  identically  to  before.  In  addition,  the  challenger  samples 
matrices  {A^}^^},  {Bi}ie[z],  {C It  then  sets 

Ap  =  Ap-  PG 
B,  =  B,  -  fiG 
Ci  =  Ci-  Li  G 

The  remainder  of  the  experiment  remains  unchanged. 

Since  the  distributions  of  the  A,  B,  C  matrices  is  identical  to  their  original  uniform  distributions, 
it  follows  that 

AdvH4(A)  =  AdvH3(A)  . 


Hybrid  H5.  In  this  hybrid,  the  adversary  changes  the  way  it  computes  the  outputs  Recall 
that  Kp  =  (ao,  ai,  bi, . . . ,  bz)  is  the  constrained  key  given  to  A.  Let  us  denote 


c i  =  sT(C i  +  LjG)  +  for  all  i  €  [z] 
d  =  s1  D  +  e  4 
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where  e3 j  are  sampled  coordinate-wise  from  \i  and  e4  is  sampled  coordinate-wise  from  x'- 
In  this  hybrid,  in  order  to  answer  input  queries,  the  challenger  first  computes 


ComputeC  [  U,  (bi, . . .  ,bz,axi, . . . ,  aXk),  (/i, . . . ,  x^) 

and  then,  letting  u/4)  =  H(x^) 


cn,ui«  ComputeC  (JI,  (ci, . . . ,  c2£,  aWl, . . . ,  a^),  (Lu  . . . ,  L2e ,  w\ 

We  recall  that  by  Lemma  4.1  it  holds  that 

bLw  =  sT(B^>*>  +  F(ili))-G>+e" 


(0 


^11 


>w(i)  ~  sl  (Cn,«,w  +  nL(u;d))  •  G)  + 


iwi 


(O' 


for  some  e^,en  for  which  ||e^||  <  B  ■  m°^d\  ||en||  <  B  ■  m°(log<). 

We  recall  that  by  definition 

PRFs(x«)  =  sTBw  (j)  •  G_1(Cn  (i))G-1(D)" 

p 

sT(B Wjx(i)  +  F(.t«)G)  •  G-1(Cn^w)G-1(D) 
-F(x«)sTCnVi)G-1(D) 
sT(BWi:c(i)  +F(s«)G)  •  G_1(Cn,w(i))G_1(D) 

-F(x®)  sT(Cnw(i)  +  ni(u;»)G)G“1(D) 
+F(xW)nL(u;W)sTD 

p 

b^(i).G-1(CnVi))G-1(D)-F(x«)c^wG-1(D) 


+F(xW)nL(u;W)dT  +  < 


,/T 


(3) 


where 


e/T  =  -^G-HCn^oJG-HD)  +  F^e&G-'CD)  -  F(x®)nL(w®)e%  (4) 

which  implies  that  || er 1 1  <  E  for  some  E  =  (m°^  +  m°^° g^)  ■  B. 

To  analyze  the  distinguishing  probability  between  these  hybrids,  for  any  input  x  (and  w  =  H(x)) 
we  define  the  event  Borderline^  as  the  event  where  there  exists  j  G  [m]  such  that: 

(b^x  •  G-^Cn^)  •  G-1(D)— F(x)  •  clw  •  G^(D) 

+  F(x)  •  n L(w)  •  dT)  •  uj  G  [-E,  E]  +  ( q/p)Z  , 


where  we  recall  that  u j  is  the  jth  indicator  vector.  Namely,  this  is  the  probability  that  one  of 
the  coordinates  of  the  vector  bj  x  ■  G_1(Cn,u>)G-1(D)  —  i?(a;)c^  UJG_1(D)  +  F(x)IIi(u;)dT  is 
“dangerously  close”  to  being  rounded  in  the  wrong  direction. 
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By  definition  of  rounding,  if  ->Borderlinex(i) ,  then 

PRFs(.t«)  =  LbJ)X(0  •  G_1  (Cn ^(i) )G_1  (D)  -  F(xW)c^(i)G-1(D) 

+  F(x«)nL(w«)dTlP  . 

The  challenger  in  this  hybrid,  given  a  query  x^\  will  first  check  whether  Borderline^) .  If  the 
event  happens,  the  challenger  aborts.  Otherwise  it  returns  PRFS  (x^)  as  defined  above.  Note  that 
the  challenger  only  needs  to  respond  to  queries  x®  for  which  IR(mW)  =  II =  0,  which 
do  not  depend  on  d,  a  fact  that  will  be  important  later  on. 

Finally,  on  the  challenge  query  x*,  unless  abort  is  needed,  it  holds  that  F(x*)  =  1  and  = 

1  (where  w*  =  H(x*))  and  therefore,  unless  the  event  Borderline^*  happens,  it  holds  that 


PRFJxO  = 


b £,x.  •  G-1(CIIiU)(i))G-1(D)  -  CniU)*G_1(D)  +  <f 


The  challenger  will  therefore  abort  if  Borderline^*  and  return  the  aforementioned  value  otherwise 
(that  is  if  the  bit  b  is  0;  if  b  =  1  then  of  course  a  uniform  value  is  returned). 

It  follows  that  if  we  define  Borderline  =  (VjBorderline^i))  V  Borderline^,* ,  then 


| Ad\’H5 (-4.)  —  AdvH4(-4.)|  <  Pr[Borderline]  . 

H5 

We  will  bound  Prn5  [Borderline]  as  a  part  of  our  analysis  in  the  next  hybrid. 

As  a  final  remark  on  this  hybrid,  we  note  that  in  order  to  execute  this  hybrid,  the  challenger 
does  not  need  to  access  s  itself,  but  rather  only  the  a^,bj,Cj,d  vectors.  This  will  be  useful  in  the 
next  hybrid. 


Hybrid  H6.  In  this  hybrid,  all  a^,  bj,  Cj,  d  are  sampled  from  the  uniform  distribution.  Everything 
else  remains  the  same.  We  note  that  by  definition,  in  hybrid  H.5: 


stA/3  +  elp 

sJBi  + 
sTQ  +  ei;4 
s7  D  +  ej  , 


where  all  A^,  Bj,  Cj,  D  are  uniformly  distributed,  and  all  efp,  eSi-  e4  are  sampled  coordinate- 
wise  from  x-  The  DLWEngx  assumption  therefore  asserts  that: 

|AdvH6(A)  -  AdvH5(A)|  <  negl(A)  . 


Furthermore,  since  Borderline  is  an  efficiently  recognizable  event,  it  also  holds  that 


Pr[Borderline]  —  Pr[Borderline 
H6  h5 


negl(A)  . 


(5) 


In  Hg,  the  probability  of  Borderline  can  be  bounded  under  the  1D-SIS-R  assumption. 

Claim  5.1.1.  Under  the  lD-SIS-RgiP>7)m/  assumption,  it  holds  that  Pi’h6  [Borderline]  =  negl(A), 
where  m'  =  m  ■  (2  +  z  +  2£  +  1),  and  7  =  p  ■  B  ■  mO(d+iog£) . 
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Proof.  Let  v  €  ^2+~+2t+1'>'n  an  inpUt  to  lD-SIS-R9)P)7)m'.  Then  define  a^,bj,Cj,d  be  so  that 
their  concatenation  is  v. 

The  reduction  executes  Hr  as  the  challenger,  using  the  vectors  defined  above.  We  claim  that 
if  Borderline  occurs,  then  we  solve  1D-SIS-R.  This  follows  since  if  Borderline  occurs  then  we  found 
x.j  such  that 

K,x  •  G-1(Cn,^)G-1(D)  -  F(x«)cS^G-1(D)  +  F(x)nL(u;)dT)uJ 

G  i-E,E\  +  (q/p)Z  . 

However,  by  Lemma  4.1,  it  follows  that 

bi.x  =  Y  a?RM  +  EbfR2 ,i 

/3e{o,i}  ie[z] 

cn,x=  Yj  a4RL/3  +  Y,  C^R3 ,i 
/3e{0,l} 


where 


Ri, 


B' 


2  ,i 


<  and 


R",/3 


R3, 


<  m0^log^.  It  follows  that  there  exists  an 


(efficiently  derivable)  matrix  Ro  such  that 


b£  x  •  G^1(Cn.«,)G^1(D)  -  T(x«)c£  ^^(D)  +  F(x)nL(u;)dT  =  vrR0 


and  || Ro||  <  m°(d+lose\ 

Finally, 

(v,  R0  •  u j)  <E  [ -E ,  E]  +  ( q/p)Z  , 

with  1 1 Ro  •  Uj||  <  1 1 Roll  <  m°(d+l°s^  and  E  =  B  ■  m°(d+los^  =  m°(d+l0 g<)_  xhus  Ro  ■  Uj  is  a  valid 
solution  for  lD-SIS-R9iPi7im/.  The  claim  thus  follows.  ■ 


Putting  together  Claim  5.1.1  and  Eq.  (5),  we  get  that 


Pr[Borderline]  <  PrfBorderline]  +  negl(A)  <  negl(A)  . 

H5  H(i 


and  thus,  finally 

|AdvHs(Al)  -  AdvHfi(Al)|  <  negl(A)  . 

Finally,  we  notice  that  the  vector  d  is  only  used  when  answering  the  challenge  query  in  the  case 
of  b  =  0.  This  means  that  in  the  adversary’s  view,  the  answer  it  gets  when  b  =  0  is  uniform  and 
independent  of  its  view  so  far,  exactly  the  same  as  the  case  b  =  1  where  an  actual  random  vector 
is  returned.  It  follows  that 

AdvHf;(Al)  =  1/2  . 

On  the  other  hand 

AdvH6(A)  >  1/2  +  eAj/4  -  negl(A)  , 


and  thus 


e  < 


negl(A) 

At/4 


=  negl(A) 


It  follows  that  A  cannot  achieve  a  noticeable  advantage  in  the  constrained  PRF  experiment  under 
the  DLWEginiX  assumption.  □ 
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5.4  Computational  Functionality  Preserving 

We  now  prove  the  computational  functionality  preservation  of  our  scheme,  as  per  Definition  3.1. 
Throughout  this  section,  we  let  T  be  a  family  of  ^-uniform  functions  and  let  d  be  a  depth  bound 
(both  can  depend  on  A).  We  let  n  =  n(X,d),  rn  =  m(X,d),  q  =  q(X,d),  p  =  p(X,d)  and  the  noise 
distributions  x  =  X (A,d)  be  as  defined  in  Section  5.2.  We  let  LL  be  the  family  of  admissible  hash 
functions  as  described  in  Section  3.4,  with  range  {0, 1}^. 

Theorem  5.2.  Let  J-  be  a  family  of  z-uniform  functions  and  let  d  be  a  depth  bound  (both  can  depend 
on  X).  Let  n  =  n( A,  d),  rn  =  m( A,  d),  q  =  q( A,  d),  p  =  p( A,  d)  and  the  noise  distributions  x  =  ,\'(A,  d) 
be  as  defined  in  Section  5.2.  Further  let  m!  =  m  ■  (z  +  2£  +  3),  and  7  =  u:(y/n  log  A)  •  p  ■  m°(rf+iog«). 

Assuming  the  hardness  of  DLWEn.?x  and  lD-SIS-R9)Pj7)m/,  the  scheme  CWF  is  computation¬ 
ally  functionality  preserving. 

We  note  that  the  hardness  of  both  assumptions  translates  to  the  worst  case  hardness  of  approx¬ 
imating  lattice  problems  such  as  GapSVP  and  SIVP  to  within  sub-exponential  factors. 


outline.  The  theorem  follows  from  an  argument  practically  identical  to  that  made  in  Hybrids  H5,  Hg 
of  the  proof  of  Theorem  5.1. 

Recall  that  we  showed  that  Borderline  events  only  happen  with  negligible  probability,  and  there¬ 
fore  with  all  but  negligible  probability,  it  holds  that  the  PRF  value  at  point  x®  is  exactly  equal 
to 


a;W 


G-1(CnV0)G-1(D)-F(x«)c^wG-1(D)+P(x«)nL(ra«)di 


However,  when  =  0,  this  term  simplifies  to 


G-1(Cn^(i))G-1(D) 


p 


which  is  exactly  ConstrainEval(AV)  VV,  x^)  by  definition.  Functionality  is  thus  preserved  with  all 
but  negligible  probability.  □ 


5.5  Other  Properties 

We  describe  several  other  properties  that  our  construction  satisfies. 


Unconditional  Almost-Correctness.  We  have  shown  that  our  constrained  PRF  satisfies  a 
computational  correctness  property,  namely  that  it  is  hard  to  find  an  input  x  such  that  PRF/<-(x)  7^ 
ConstrainEval(A(p,  VV,  x).  We  are  also  able  to  show  unconditionally  that  the  constrained  evaluation 
and  the  actual  PRF  evaluation  do  not  differ  by  much,  for  any  input  x.  Indeed,  by  Equation  3  and 
4,  we  have 

||PRF/V'(x)  —  ConstrainEval(iFF,'P'P,x)||00  <  m°^  ■  B 

Key  Homomorphism.  Our  PRF  is  also  “almost  key  homomorphic”  in  the  sense  that  PRFs(x)  + 
PRFs/(x)  is  close  to  PRFs+s/(x)  for  any  keys  s  and  s7  and  any  input  x.  Recall  that  our  PRF  is 

PRFs(x)  =  |_stB^  •  G_1(Cn)  •  G_1(D)~|p 
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For  any  keys  s$  and  input  x,  denoting  s]  •  G  1(Cn)  ■  G  X(D)  as  hj,  we  have 


PRFEsi(x)-^PRFSi(x)||0O 


E  E  -  5Z  Lh*iP 


<k  +  1 

oo 


Constrained-Key  Homomorphism.  Our  constrained  keys  are  “almost  homomorphic”  as  well, 
in  the  same  sense  as  above.  That  is,  if  Kp  and  K'F  are  constrained  versions  of  PRF  keys  K  and  K' 
for  the  same  function  F .  the  summation  Kp  +  K'F  is  a  constrained  version  of  K  +  K'  for  the  function 
F.  For  any  input  x,  we  then  have  that  ConstrainEval(iFp  +  KF,W ,  x)  is  close  to  PRFx+^(x). 

We  remark  that  techniques  similar  to  what  we  used  in  showing  computational  correctness  can  be 
used  to  strengthen  the  almost  key-homomorphism  property  into  computational  key-homomorphism 
where  it  is  computationally  hard  to  find  an  input  for  which  key  homomorphism  does  not  hold. 


6  Succinct  Constrained  Keys 

In  this  section  we  show  how  to  reduce  the  size  of  the  constrained  key  so  that  asymptotically  it 
depends  only  on  the  security  parameter  and  independent  of  the  function  class.  The  construction 
builds  upon  the  scheme  CP1ZF  from  Section  5  but  reduces  the  key  size  by  utilizing  an  attribute 
based  encryption  scheme  (ABE).  In  particular,  the  constrained  keys  in  our  new  system  have  size 
poly  (A),  independent  of  the  parameters  of  the  constraining  circuit  (namely,  its  size  or  depth). 

Our  succinct  constrained  PRF  SCV1ZF  for  a  ^-uniform  d-depth-bounded  family  T  works  as 
follows. 

•  KeyGen(lA,  l2,  ld):  The  key  generation  algorithm  takes  as  input  the  maximum  size  z  and 
depth  d  of  the  constraining  circuits.  Let  t  =  O(log^)  to  be  specified  later. 

It  starts  by  calling  CVIZF  .be\/Gen(lx  Az  Ad)  to  obtain  the  seed  s,  and  public  parameters 
W  =  (H,  A0,A1,{Bi}ie[z]). 

It  then  generates:  a.p  =  s 1  (Ap  +  (3G)  +  ej  3  and  b^p  =  sT(B,;  +  /3G)  +  p-  Note  that 
any  possible  constrained  key  of  CT1ZF  consists  of  ao  and  ai,  together  with  a  subset  of 

{k*,/3}ie[z],/3e{o,ip 

Next  it  generates  parameters  for  the  ABE  scheme  (ART.msk,  ART.pp)  <—  ART.Setup(lA,  1*), 
and  generates  cRg  •(—  AB£.Er\c(AB£.pp,(i,l3),hitp),  encryptions  with  (i,(3)  as  the  “at¬ 
tributes”  and  bjj(g  as  the  “message” . 

The  public  parameters  consist  of 

SCVTZF.VV  =  {CT)TZF.W,AB£.W,SLo,SLi,{ctip}i^p) 

The  seed  for  SCV1ZF  contains  a  seed  for  CP1ZF,  namely  a  uniformly  random  vector  s  6 
Zg,  and  in  addition  the  ABE  master  secret  key  AB£.  msk.  We  note  that  in  fact  s  can  be 
retrieved  from  the  public  parameters  using  AB£. msk  and  therefore  it  is  not  necessary  to  give 
it  explicitly.  However,  it  is  more  natural  to  think  of  s  as  a  part  of  the  seed.  In  particular 
s  will  be  used  to  evaluate  SCV1ZF  (see  Eva  I  below)  and  ART.  msk  will  be  used  to  produce 
constrained  keys  (see  Constrain  below). 
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•  Eval(s,  VV,  x)  takes  as  input  the  PRF  seed  s,  the  public  parameters  VV  which  contains 
CWF. pp,  and  an  input  x  E  {0,  l}fc  such  that  k  <  kd  (i.e.  Uk  is  of  depth  <  d),  and  outputs 
the  result  of  the  CPRF  evaluation,  namely  CWF.Eva\(s,  CWF  .pp,  x). 

•  Constrain(Al£>£.msk,  F)  takes  as  input  the  ABE  master  secret  key  ABS. msk  and  a  circuit  F 
(represented  as  a  string  in  {0, 1}Z )  and  does  the  following.  Consider  the  function: 


Note  that  4>f  can  be  computed  by  a  depth  O(logz)  circuit  (whose  depth  is  independent  of 
the  depth  of  F  itself),  the  parameter  t  from  above  is  set  to  be  equal  to  this  depth.  We  recall 
Section  3.5 

The  constrained  key  for  F  is  the  ABE  token  for  fp,  namely 


Kp  =  A8£.KeyGen(A£>£.msk,  <pp) 


•  ConstrainEval(i£F,  VV,  x)  takes  as  input  the  constrained  key  Kp.  the  public  parameters  VV 
and  an  input  x. 

Recalling  that  VP  =  (CWF  .pp,  ABS. pp,  ao,  ai,  {ct^}),  and  that  Kp  is  the  ABE  decryption 
key  for  the  function  <fp,  it  first  decrypts  to  obtain  b*  =  ABS  ,Dec(Kp,  ct and  then  applies 
the  constrained  evaluation  algorithm  CPTIEF.  Constrain  Eva  I  ((ao,  ai,  {bj}),  CWF.VV,  x) . 

The  correctness  follows  in  a  straightforward  manner  from  the  correctness  of  ABS  and  CWF. 
The  constrained  key  size  of  SCWF  is  derived  from  that  of  ABS  and  is  poly(A,  t)  =  poly  (A,  log  z). 
It  follows  that  there  exists  a  poly(A)  asymptotic  upper  bound  on  the  key  sizes  that  applies  for  all 
polynomial  values  of  2.  Security  is  proven  in  the  following  theorem. 

Theorem  6.1.  If  CWF  is  a  single-key  secure  constrained  pseudorandom  function  for  function 
class  F  (Definition  3.1),  which  is  built  according  to  the  template  in  Section  5,  and  if  ABS  is 
a  selectively  secure  ABE  scheme  (Definition  3.6),  then  the  scheme  SCWF  described  above  is  a 
secure  single-key  CPRF  for  F . 

Proof.  Let  A,  be  a  CPRF  adversary  against  SCWF.  The  proof  will  proceed  by  a  sequence  of 
hybrids  where  in  each  hybrid  the  challenger  will  sample  a  random  bit  b  and  the  adversary’s  success 
in  inferring  b  will  be  Al’s  advantage  in  the  hybrid. 

Hybrid  H0.  This  hybrid  is  the  constrained  PRF  security  game  for  SCWF.  The  challenger 
generates  (SIC,  VV)*r- KeyGen(lA,  l2,  ld).  It  gets  F  E  {0,1  j21  from  A  and  produces  a  constrained 
key  Kp<—  Constrain(5/C,  VV,  F).  It  then  sends  VV,Kp  to  A.  At  this  point  A  adaptively  makes 
queries  E  {0,1}*,  and  the  challenger  computes  y^<—  Eva\(s,VV,x^)  and  returns  it  to  A. 
Finally,  A  outputs  x*  E  {0, 1}*.  If  b  =  0  then  the  challenger  returns  y*«-Eval(s,  VV,  x*),  and  if 
b  =  1  it  returns  a  random  y* . 


AdvHo(Al)  >  1/2  +  e  . 
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Hybrid  Hi.  In  this  hybrid,  the  challenger  does  the  following.  It  first  receives  the  function  F 
and  then  generates  (. SJC,VV )  with  one  change  compared  to  the  previous  hybrid.  The  ciphertexts 
ct iti-Fi  wiH  now  be  generated  as  AB£ .Er\c(AB£ .pp,  (i,/3),0). 

Claim  6.1.1.  Under  the  selective  security  of  AB£,  it  holds  that 

|AdvHo(-4)  -  AdvHl(A)|  <  negl(A)  , 

Proof.  Let  B  be  the  following  adversary  against  multi-message  selective  security  of  AB£  (see  Defi¬ 
nition  3.6),  which  will  work  by  simulating  the  interaction  of  A  in  the  CPRF  security  game  against 
SCPIZF.  First  of  all  B  generates  a  key  pair  (s,  CPIZF. PP)<r- CPIZF. KeyGer\(lx,  lz,  lrf) ,  and  pro¬ 
duces  the  vectors  &p,  h^p  as  in  the  key  generation  process  of  SCPIZF. 

Then  B  runs  A  to  obtain  the  function  description  F  £  {0, 1}Z.  It  sends  to  the  AB£  challenger 
the  attribute  sequence  {(*,  1  —  -FOliefz]-  Then,  for  each  i,  it  will  send  to  the  AB£  challenger  the 
message  pair  mo,i  =  b^i-pv,  m\^  =  0.  It  receives  AB£.W  and  ciphertexts  ct which  encrypt 
either  mo,i  or  m\^.  Using  AB£.W  it  generates  ct ^  by  itself  as  in  SCPIZF. KeyGen.  Further,  B 
generates  SCPIZF .PP  using  CPIZF .VV ,  AB£.VV  and  cti,p,  and  forwards  this  value  to  A.  Note 
that  this  is  distributed  identically  to  an  SCPIZF .VV  in  Ho  if  b  =  0  and  identically  to  SCPIZF .VV 
in  Hi  if  b  =  1. 

Next,  B  queries  the  AB£  challenger  on  the  function  token  fp.  noting  that  1  —  Ff)  =  0  for 
all  i.  The  challenger  responds  with  the  appropriate  token,  which  will  be  forwarded  to  A  as  Kp. 
Note  that  this  value  is  correctly  distributed. 

The  adversary  B  continues  to  simulate  A,  answering  its  oracle  queries  using  the  seed  s.  Finally, 
when  A  halts  and  outputs  some  b',  B  halts  as  well  and  outputs  b'  as  its  own  output. 

By  definition,  the  advantage  of  B  against  AB£  is  exactly  AdvH0(A)  —  Advn,  (A),  and  the  claim 
follows  from  the  selective  security  of  AB£.  ■ 

Next,  we  notice  that  the  adversary’s  advantage  in  this  hybrid  cannot  be  noticeable  without 
breaking  the  security  of  CPIZF. 

Claim  6.1.2.  If  CPIZF  is  a  secure  single-key  constrained  PRF  then  |  Adv^  (A)  —  1/2 1  =  negl(A). 

Proof.  We  present  an  adversary  B  against  CPIZF  whose  advantage  is  |  Adv^  (A)  —  1/2 1  as  follows. 
It  will  first  get  F  from  A  and  forward  it  to  the  CPIZF  challenger.  Then,  upon  receiving  CPIZF . PP , 
a p,  bj,  it  will  generate  (AB£ .msk,  AB£ .PP)  by  itself.  Then  it  will  encrypt  bj  as  bj./r.  to  obtain 
ctj  and  will  encrypt  zero  to  obtain  ct^i-^.  Finally  it  will  generate  Kp  by  running  AB£. KeyGen 
on  the  function  <f>p.  This  will  allow  generating  SCPIZF. PP,Kf  which  are  consistent  with  the 
distribution  that  A  receives  in  Hi. 

The  values  SCPIZF. PP,Kp  will  be  sent  to  A,  and  when  A  makes  PRF  queries  they  will 
be  forwarded  to  the  CPIZF  challenger,  and  the  response  forwarded  back  to  A.  In  addition,  A’s 
challenge  will  be  forwarded,  and  the  response  forwarded  back.  When  A  terminates  and  returns  b' , 
the  same  b'  will  be  returned  by  B. 

It  is  straightforward  to  see  that  whenever  A  wins  in  Hi,  B  wins  against  CPIZF.  The  claim 
follows.  ■ 

Putting  the  two  claims  together,  it  follows  that 

1/2  +  e  <  AdvH0(A)  <  AdvHl(A)  +  negl(A)  <  1/2  +  negl(A)  , 
which  completes  the  proof  of  the  theorem.  □ 
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Abstract.  We  devise  multi-party  computation  protocols  for  general  se¬ 
cure  function  evaluation  with  the  property  that  each  party  is  only  re¬ 
quired  to  communicate  with  a  small  number  of  dynamically  chosen 
parties.  More  explicitly,  starting  with  n  parties  connected  via  a  com¬ 
plete  and  synchronous  network,  our  protocol  requires  each  party  to  send 
messages  to  (and  process  messages  from)  at  most  polylog(n)  other 
parties  using  poly  log  (n)  rounds.  It  achieves  secure  computation  of  any 
polynomial-time  computable  randomized  function  /  under  cryptographic 
assumptions,  and  tolerates  up  to  (|  — e)-n  statically  scheduled  Byzantine 
faults. 

We  then  focus  on  the  particularly  interesting  setting  in  which  the  func¬ 
tion  to  be  computed  is  a  sublinear  algorithm-.  An  evaluation  of  /  depends 
on  the  inputs  of  at  most  q  =  o(n)  of  the  parties,  where  the  identity  of 
these  parties  can  be  chosen  randomly  and  possibly  adaptively.  Typically, 
q  =  polylog(n).  While  the  sublinear  query  complexity  of  /  makes  it  pos¬ 
sible  in  principle  to  dramatically  reduce  the  communication  complexity 
of  our  general  protocol,  the  challenge  is  to  achieve  this  while  maintaining 
security:  in  particular,  while  keeping  the  identities  of  the  selected  inputs 
completely  hidden.  We  solve  this  challenge,  and  we  provide  a  protocol 
for  securely  computing  such  sublinear  /  that  runs  in  polylog(n)  +  O(q) 
rounds,  has  each  party  communicating  with  at  most  q  ■  poly  log  (n)  other 
parties,  and  supports  message  sizes  poly  log  (n)  •  (£  +  n),  where  i  is  the 
parties’  input  size. 

Our  optimized  protocols  rely  on  a  multi-signature  scheme,  fully  ho¬ 
momorphic  encryption  (FHE),  and  simulation-sound  adaptive  NIZK  ar¬ 
guments.  However,  we  remark  that  multi-signatures  and  FHE  are  used 
to  obtain  our  bounds  on  message  size  and  round  complexity.  Assuming 
only  standard  digital  signatures  and  public-key  encryption,  one  can  still 
obtain  the  property  that  each  party  only  communicates  with  poly  log  (n) 
other  parties.  We  emphasize  that  the  scheduling  of  faults  can  depend  on 
the  initial  PKI  setup  of  digital  signatures  and  the  NIZK  parameters. 

*  This  research  was  initiated  and  done  in  part  while  the  authors  were  visiting  the  Isaac 
Newton  Institute  for  Mathematical  Sciences  in  Cambridge,  UK. 

A.  Sahai  (Ed.):  TCC  2013,  LNCS  7785,  pp.  356-P76]  2013. 
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1  Introduction 

Multiparty  computation  (MPC)  protocols  for  secure  function  evaluation  (SFE) 
witnessed  a  significant  body  of  work  within  the  cryptography  research  commu¬ 
nity  in  the  last  30  years. 

These  days,  an  emerging  area  of  potential  applications  for  secure  MPC  is  to 
address  privacy  concerns  in  data  aggregation  and  analysis,  to  match  the  explo¬ 
sive  current  growth  of  available  data.  Large  data  sets,  such  as  medical  data, 
transaction  data,  the  web  and  web  access  logs,  or  network  traffic  data,  are  now 
in  abundance.  Much  of  the  data  is  stored  or  made  accessible  in  a  distributed 
fashion.  This  necessitated  the  development  of  efficient  distributed  protocols  to 
compute  over  such  data.  In  order  to  address  the  privacy  concerns  associated 
with  such  protocols,  cryptographic  techniques  such  as  MPC  for  SFE  where  data 
items  are  equated  with  servers  can  be  utilized  to  prevent  unnecessary  leakage  of 
information. 

However,  before  MPC  can  be  effectively  used  to  address  today’s  challenges, 
we  need  protocols  whose  efficiency  and  communication  requirements  scale  prac¬ 
tically  to  the  modern  regime  of  massive  data.  An  important  metric  that  has 
great  effect  on  feasibility  but  has  attracted  surprisingly  little  attention  thus  far 
is  the  number  of  other  parties  that  each  party  must  communicate  with  during 
the  course  of  the  protocol.  We  refer  to  this  as  the  communication  locality.  In¬ 
deed,  if  we  consider  a  setting  where  potentially  hundreds  of  thousands,  or  even 
millions  of  parties  are  participating  in  a  computation  over  the  internet,  requiring 
coordination  between  each  pair  of  parties  will  be  unrealistic. 

In  this  work,  we  work  to  optimize  the  communication  locality  for  general  se¬ 
cure  function  evaluation  on  data  which  is  held  distributively  among  n  parties. 
These  parties  are  connected  via  a  complete  synchronous  communication  net¬ 
work,  of  whom  (i  —  e)n  may  be  statically  scheduled,  computationally  bounded 
Byzantine  faults.  We  do  not  assume  the  existence  of  broadcast  channels. 

We  also  focus  on  a  particularly  interesting  setting  in  which  the  randomized 
function  /  to  be  computed  is  a  sublinear  algorithm:  namely,  a  random  execution 
of  f(x i,  ...,xn)  depends  on  at  most  q  =  o(n)  of  the  inputs  Xi.  We  consider  both 
non-adaptive  and  adaptive  sublinear  algorithms,  in  which  the  identities  of  the 
selected  inputs  may  depend  on  the  randomness  r  of  execution,  or  on  both  r  and 
the  values  of  Xi  queried  thus  far.  Sublinear  algorithms  play  an  important  role 
in  efficiently  testing  properties  and  trends  when  computing  on  large  data  sets. 
The  sublinear  query  complexity  makes  it  possible  in  principle  to  dramatically 
reduce  the  amount  of  information  that  needs  to  be  communicated  within  the 
protocol.  However,  the  challenge  is  to  achieve  this  while  maintaining  security — 
in  particular,  keeping  the  identities  of  the  selected  inputs  completely  hidden. 

Straightforward  application  of  known  general  MPC  techniques  results  in  pro¬ 
tocols  where  each  party  sends  and  receives  messages  from  all  n  parties,  and  where 
the  overall  communication  complexity  is  0(n2),  regardless  of  the  complexity  of 
the  function  to  be  computed.  We  remark  that  this  is  obviously  the  case  for  the 
classical  general  SFE  protocols  (beginning  with  |l26ll4l5j'l  in  which  every  party 
first  secret  shares  its  input  among  all  other  parties  (and  exchanges  messages 
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between  all  n  parties  at  the  evaluation  of  every  gate  of  the  circuit  of  the  func¬ 
tion  computed).  Furthermore,  although  much  progress  was  made  in  the  MPC 
literature  of  the  last  two  decades  to  make  MPC  protocols  more  efficient  and  suit¬ 
able  for  practice,  this  is  still  the  case  both  in  works  on  scalable  MPC  [17(120119)18] 
and  more  recent  works  utilizing  the  existence  of  fully  homomorphic  encryption 
schemes 


for  MPC.  The  latter  achieve  communication  complexity  that  is 
independent  of  the  circuit  size,  but  not  of  the  number  of  parties  when  broadcast 
channels  are  not  available. 

A  recent  notable  exception  to  the  need  of  each  party  to  communicate  with 
all  other  parties  is  the  beautiful  work  of  King,  Saia,  Sanwalani  and  Vee  [33]  on 
what  they  call  scalable  protocols  for  a  relaxation  of  the  Byzantine  agreement  and 
leader  election  problems.  Their  protocols  require  each  honest  party  to  send  and 
process  a  polylog(n)  number  of  bits.  On  the  down  side,  the  protocols  of  [33]  do 
not  guarantee  that  all  honest  parties  will  achieve  agreement,  but  only  guarantee 
that  1  —  o(l)  fraction  of  the  good  processors  reach  agreement — achieving  only 
so-called  almost  everywhere  agreement.  In  another  work  of  King  et  al  32],  it 
is  shown  how  using  0(^/n)  communication,  full  Byzantine  agreement  can  be 
achieved.  The  technique  of  almost-everywhere  leader  election  of  [31]  will  be  the 
technical  starting  point  of  our  work. 


1.1  Our  Results 

We  provide  multiparty  computation  protocols  for  general  secure  function  evalu¬ 
ation  with  communication  locality  that  is  poly  logarithmic  in  the  number  of  par¬ 
ties.  That  is,  starting  with  n  parties  connected  via  a  complete  and  synchronous 
network,  we  prove  the  following  main  theorem: 

Theorem  1.  Let  /  be  any  polynomial-time  randomized  functionality 
on  n  inputs.  Then,  for  every  constant  e  >  0,  there  exists  an  n-party 
protocol  77/  that  securely  computes  a  random  evaluation  of  /,  tolerating 
t  <  (1/3  —  e)n  statically  scheduled  active  corruptions,  with  the  following 
complexities: 

(1)  Communication  locality:  polylog(n). 

(2)  Round  complexity:  polylog(n). 

(3)  Message  sizes:  0(n  •  l  ■  polylog(n)),  where  l  =  \xi\  is  the  individual 
input  size. 

(4)  The  protocol  uses  a  setup  consisting  of  n  ■  polylog(n)  signing  keys 
of  size  polylog(n),  as  well  as  a  polylog(n)-long  additional  common 
random  string  (CRS)0 

The  protocol  assumes  a  secure  multisignature  scheme,  a  fully  homo¬ 
morphic  encryption  (FHE)  scheme,  simulation-sound  NIZK  arguments, 
as  well  as  pseudorandom  generators. 

Assuming  only  a  standard  signature  scheme  and  semantically  secure 
public-key  encryption,  and  setup  as  in  (4),  there  exists  a  protocol  for 
securely  computing  /  with  polylog(n)  communication  locality. 

1  Adversarial  corruptions  may  be  made  as  a  function  of  this  setup  information. 
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Multisignatures  are  digital  signatures  which  enable  the  verification 

that  a  large  number  of  signers  have  signed  a  given  message,  where  the  number 
of  signers  is  not  fixed  in  advance.  The  size  of  a  multisignature  is  independent  of 
the  number  of  signers,  but  in  order  to  determine  their  identities  one  must  attach 
identifying  information  to  the  signature.  Standard  instantiations  of  such  schemes 
exist  under  the  bilinear  computational  Diffie-Hellman  assumption  |44I36| . 

The  use  of  multisignatures  rather  than  standard  digital  signatures  enables  us 
to  bound  the  size  of  the  messages  sent  in  the  protocol.  Further,  the  use  of  FHE 
enables  us  to  bound  the  number  of  messages  sent,  rather  than  depend  on  the  time 
complexity  of  the  function  /  to  be  computed  and  polynomially  on  the  input  size. 
However,  we  can  obtain  the  most  important  feature  of  our  complexity,  the  need 
of  every  party  to  send  messages  to  (and  process  messages  from)  only  polylog(n) 
parties  in  the  network,  solely  under  the  assumption  that  digital  signatures  and 
public-key  encryption  exist. 

In  addition,  we  show  how  to  convert  an  arbitrary  sublinear  algorithm  with 
query  complexity  q  =  polylog(n)  into  a  multi-party  protocol  to  evaluate  a 
randomized  run  of  the  algorithm  with  polylog(n)  communication  locality  and 
rounds,  and  where  the  total  communication  complexity  sent  by  each  party  is 
only  0(polylog(n)  •  ( l  +  n))  for  l  =  |a;|  an  individual  input  size.  We  prove  that 
participating  in  the  MPC  reveals  no  information  beyond  the  output  of  the  sub- 
linear  algorithm  execution  using  a  standard  Ideal/Real  simulation-based  security 
definition. 

For  underlying  query  complexity  q ,  our  second  main  theorem  is  as  follows: 

Theorem  2.  Let  SLA  be  a  sublinear  algorithm  which  retrieves  q  = 
q(n)  =  o(n )  different  inputs.  Then,  for  all  constant  e  >  0,  there  exists 
an  n-party  protocol  TIsla  that  securely  computes  an  execution  of  the 
sublinear  algorithm  SLA  tolerating  t  <  (1/3  —  e)n  statically  scheduled 
active  corruptions,  with  the  following  complexities,  where  l  is  the  size  of 
the  individual  inputs  held  by  the  parties: 

(1)  Communication  locality:  q  ■  polylog(?r). 

(2)  Round  complexity:  0(g)  +  polylog(n). 

(3)  Message  sizes:  0((l  +n)  ■  polylog(n)). 

(4)  The  protocol  uses  a  setup  consisting  of  n  ■  polylog(n)  signing  keys  of 
size  polylog(n),  as  well  as  a  polylog(n)-long  additional  CRS. 

The  protocol  assumes  a  secure  multisignature  scheme,  an  FHE  scheme, 
simulation-sound  NIZK  arguments,  and  pseudorandom  generators. 

Techniques.  We  first  describe  how  to  achieve  our  second  result,  for  the  case 
when  /  is  a  sublinear  algorithm.  This  setting  requires  additional  techniques  in 
order  to  attain  the  communication  complexity  gains.  After  this,  we  describe 
the  appropriate  modifications  required  to  maintain  polylog(n)  communication 
locality  for  general  functions  /. 

There  are  three  main  technical  components  to  our  protocol  for  sublinear  al¬ 
gorithms.  The  first  is  to  set  up  a  committee  structure  constituted  of  a  supreme 
committee  C  and  n  input  committees  C i,  ..Cn.  These  committees  will  all  be  of 
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size  polylog(n)  and  with  high  probability  have  a  2/3  majority  of  honest  parties. 
Each  committee  6/  will  (to  begin  with)  hold  shares  of  the  input  Xi  whereas  the 
role  of  the  supreme  committee  will  essentially  be  to  govern  the  running  of  the 
protocol.  A  major  challenge  is  to  ensure  that  all  parties  in  the  network  know 
the  identity  of  parties  in  all  the  committees.  The  starting  point  to  address  this 
challenge  is  to  utilize  the  communication-efficient  almost- everywhere  leader  elec¬ 
tion  protocol  of  [31| .  We  remark  that  [33]  achieves  better  total  communication 
complexity  of  polylog(n)  bits  and  offers  unconditional  results,  but  only  achieves 
an  almost-everywhere  agreement:  there  may  be  a  o(l)  fraction  of  honest  parties 
who  will  not  reach  agreement  and,  in  our  context,  will  not  know  the  makeup  of 
the  committees.  The  main  idea  to  remedy  this  situation  is  to  add  an  iterated 
certification  procedure  using  multi-signatures  to  the  protocol  of  [H] ,  while  keep¬ 
ing  the  complexity  of  only  polylog(n)  messages  sent  and  processed  by  any  honest 
party.  In  the  process,  however,  we  move  from  unconditional  to  computational 
security  and  our  message  sizes  grow,  as  they  will  be  signed  by  multi-signatures. 
Whereas  the  size  of  the  multi-signatures  depends  only  on  the  security  parameter, 
the  messages  should  indicate  the  identities  of  the  signers  -  this  is  cause  for  the 
increased  size  of  messages. 

The  second  component  is  to  implement  a  randomly  chosen  secret  reshuffling  p 
of  parties’  inputs  within  the  complexity  restrictions  we  have  alloted.  At  the  end 
of  the  shuffling,  committee  Cpu\  will  hold  the  input  of  committee  C).  Informally, 
this  will  address  the  major  privacy  issue  in  executing  a  sublinear  algorithm  in  a 
distributed  setting,  which  is  to  ensure  that  the  adversary  does  not  learn  which 
of  the  n  inputs  are  used  by  the  algorithm.  We  implement  the  shuffling  via  dis¬ 
tributed  evaluation  of  a  switching  network  with  very  good  mixing  properties 
under  random  switching,  all  under  central  coordination  by  the  supreme  commit¬ 
tee.  We  assume  that  a  fixed  switching  network  over  n  wires  is  given,  with  depth 
d  =  polylog(n),  and  is  known  to  everyone. 

The  third  component,  once  the  inputs  will  be  thus  permuted,  is  to  actually 
run  the  execution  of  the  sublinear  algorithm.  For  lack  of  space,  let  us  illustrate 
how  this  is  done  for  the  sub  class  of  non-adaptive  sublinear  algorithms.  This  is 
a  class  of  algorithms  that  proceed  in  two  steps: 

—  First,  a  random  subset  I  of  size  q  of  the  indices  1,  ...,n  is  selected. 

—  Second,  an  arbitrary  polynomial-time  algorithm  is  computed  on  inputs  Xj 
for  j  £  I. 

To  run  an  execution  of  such  an  algorithm,  the  supreme  committee:  first  selects 
a  random  and  secret  q  =  polylog(n)  size  subset  /  of  the  inputs;  and  second,  runs 
a  secure  function  evaluation  (SFE)  protocol  on  the  set  of  inputs  in  p(I)  with  the 
assistance  of  parties  in  committees  Cj  for  j  £  p(/).  In  the  adaptive  case,  one 
essentially  assumes  queries  are  asked  in  sequence,  and  executes  in  a  similar  way 
the  sublinear  algorithm  query  after  query,  contacting  committee  p(i)  for  each 
query  i ,  instead  of  parallelizing  the  computation  for  all  inputs  from  /.  The  price 
to  pay  is  an  additive  factor  q  in  the  number  of  rounds  of  the  protocol.  However, 
note  that  in  the  common  case  q  =  polylog(n),  this  does  not  affect  the  overall 
asymptotic  complexity. 
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Now,  consider  the  case  when  /  is  a  general  polynomial-time  function,  whose 
evaluation  may  depend  on  a  large  number  of  its  inputs.  In  this  case,  we  can  skip 
the  aforementioned  shuffling  procedure,  and  instead  simply  have  each  party  Pi 
send  his  (encrypted)  input  up  to  the  supreme  committee  C  to  run  the  evaluation 
of  /.  That  is,  each  Pi  gives  an  encryption  of  his  input  to  the  members  of  his 
input  committee  C^,  and  each  party  in  Ci  sends  the  ciphertext  up  to  C  via  a 
communication  tree  that  is  constructed  during  the  process  of  electing  committees 
(in  Step  1).  Then,  the  members  of  the  supreme  committee  C  (who  collectively 
have  the  ability  to  decrypt  ciphertexts)  are  able  to  evaluate  the  functionality  / 
directly  via  a  standard  SFE. 

Remarks.  A  few  remarks  are  in  order. 

—  Flooding  by  faulty  parties.  There  is  no  limit  (nor  can  there  be)  on  how  many 
messages  are  sent  by  faulty  parties  to  honest  parties,  as  is  the  case  in  the 
works  mentioned  above.  To  address  this  issue  in  [34l32l33f2T[ ,  for  example,  it 
is  (implicitly)  assumed  that  the  authenticated  channels  between  parties  can 
“recognize”  messages  from  unwarranted  senders  which  should  not  be  pro¬ 
cessed  and  automatically  drop  them,  whereas  we  will  use  a  digital  signature 
verification  procedure  to  recognize  and  drop  these  messages  which  should 
not  be  processed. 

—  Security  definition  for  sublinear  algorithms.  The  security  definition  we  achieve 
is  the  standard  definition  of  secure  multiparty  computation  (MPC).  In¬ 
formally,  the  parties  will  receive  the  output  corresponding  to  a  random 
execution  of  the  sublinear  algorithm  but  nothing  else.  Formally,  we  use 
the  ideal/real  simulation-based  type  definition.  We  note  that  in  works  of 
[20123131)  on  MPC  for  approximation  algorithms  for  functions  /,  privacy 
is  defined  so  as  to  mean  that  no  information  is  revealed  beyond  the  exact 
value  of  /,  rather  than  beyond  the  approximate  value  of  /  computed  by  the 
protocol.  One  may  ask  for  a  similar  privacy  definition  for  sublinear  algo¬ 
rithms,  which  are  an  approximation  algorithm  of  sorts.  However,  this  is  an 
orthogonal  concern  to  the  one  we  address  in  this  work. 


1.2  Further  Related  Work 

Work  on  MPC  in  partially  connected  networks,  such  as  the  recent  work  of  Chan- 
dran,  Garay  and  Ostrovsky  mm,  shows  MPC  protocols  for  network  graphs  of 
degree  polylog(n)  (thus  each  party  is  connected  to  no  more  than  polylog(n)  par¬ 
ties).  They  can  only  show  how  to  achieve  MPC  amongst  all  but  o(n )  honest 
parties.  Indeed,  in  this  setting  it  is  unavoidable  for  some  of  the  honest  parties 
to  be  cut  out  from  every  other  honest  party.  In  contrast,  in  the  present  work, 
we  assume  that  although  the  n  parties  are  connected  via  a  complete  network 
and  potentially  any  party  can  communicate  with  any  other  party,  our  protocols 
require  each  honest  party  to  communicate  with  only  at  most  polylog(n)  parties 
whose  identity  is  only  determined  during  the  course  of  the  protocol  execution. 
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The  problem  of  sublinear  communication  in  MPC  has  also  been  considered 
in  the  realm  of  two-party  protocols,  e.g.  by  m  who  provide  communication¬ 
preserving  protocols  for  secure  function  evaluation  (but  which  require  super¬ 
polynomial  computational  effort),  and  in  a  recent  collection  of  works  including 
[28]  which  achieve  amortized  sublinear  time  protocols,  and  the  work  of  m  which 
show  polylogarithmic  communication  for  specific  functions. 

An  interesting  point  of  comparison  to  our  result  is  the  work  of  Halevi,  Lin- 
dell  and  Pinkas  [30] .  They  design  computationally  secure  MPC  protocols  for  n 
parties  in  which  one  party  is  singled  out  as  a  server  and  all  other  parties  com¬ 
municate  directly  with  the  server  in  sequence  (in  one  round  of  communication 
each).  However,  it  is  easy  to  see  that  protocols  in  this  model  can  only  provide  a 
limited  privacy  guarantee:  for  example,  as  pointed  out  by  the  authors,  if  the  last 

1  parties  collude  with  the  server  then  they  can  always  evaluate  the  function  on 
as  many  input  settings  as  they  wish  for  variable  positions  n  —  i,  n  —  i  +  1, . . . ,  n. 
No  such  limitations  exist  in  our  model. 

In  a  recent  and  independent  work  to  the  current  paper,  King  et  al  |21i  extends 
pT21  to  show  a  protocol  for  unconditionally  secure  SFE  for  general  /  that  requires 
every  party  to  send  at  most  0(f^  +  y/n)  messages,  where  m  is  the  size  of  a  circuit 
representation  of  /.  A  cursory  comparison  to  our  work  shows  that  in  [21]  each 
party  sends  messages  to  Q(^/n)  other  parties. 

Finally,  let  us  point  out  that  our  approach  to  anonymize  access  patterns 
to  parties  is  similar  in  spirit  to  problems  arising  in  the  context  of  Oblivious 
RAM  [2?] ,  and  uses  similar  ideas  to  the  obfuscated  secret  shuffling  protocols  of 
Adida  and  Wilkstrom  [2]. 

2  Preliminaries 

We  recall  first  the  definitions  of  standard  basic  tools  used  throughout  the  paper, 
and  then  move  to  some  important  results  on  shuffling  and  our  notation  for 
sublinear  algorithms. 

2.1  Basic  Tools 

Non-interactive  Zero  Knowledge.  We  make  use  of  a  standard  non-interactive 
zero  knowledge  (NIZK)  argument  system  (Gen,  Prove,  Verify,  S  =  (iScrs, <SProof)) 
with  unbounded  adaptive  simulation  soundness,  as  defined  in  mm-  That  is, 
soundness  of  the  argument  system  holds  even  against  PPT  adversaries  who  are 
given  access  to  an  oracle  that  produces  simulated  proofs  of  (potentially  false) 
statements.  For  a  formal  definition,  we  refer  the  reader  to,  e.g.,  mm- 

Theorem  1.  \4-2^  There  exists  an  unbounded  simulation-sound  NIZK  proof  sys¬ 
tem,  for  any  NP  language  L,  based  on  trapdoor  one-way  permutations,  with  proof 
length  poly(|x|,  |w|),  where  x  is  the  statement  and  w  is  the  witness. 
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Fully  Homomorphic  Encryption.  We  make  use  of  a  fully  homomorphic  public- 
key  encryption  (FHE)  scheme  (Gen,  Enc,  Dec,  Eval)  as  defined  in,  e.g.,  [23]-  For 
our  purposes,  we  require  an  FHE  scheme  with  the  additional  property  of  certi- 
fiability.  A  certifiable  FHE  scheme  is  associated  with  a  set  R  of  “good”  encryp¬ 
tion  randomness  such  that  (repeated  execution  of)  the  Eval  algorithm  and  the 
decryption  algorithm  Dec  are  correct  on  ciphertexts  derived  from  those  using 
randomness  from  R  to  encrypt.  A  formal  definition  follows. 

Definition  1.  For  a  given  subset  R  C  {0,  l}Poly(fe)  of  possible  randomness  val¬ 
ues,  we  ( recursively )  define  the  class  of  A-evolved  ciphertexts  with  respect  to  a 
public  key  pk  to  include  all  ciphertexts  c  of  the  form: 

—  c  =  Encpk(m;r)  for  some  m  in  the  valid  message  space  and  randomness 
r  G  R,  and 

—  c  =  Evalpk((cj)ie/,  /)  for  some  poly (k)-size  collection  of  R-evolved  ciphertexts 
(ci)ie/  and  some  poly-size  circuit  f . 

Definition  2.  A  FHE  scheme  is  said  to  be  certifiable  if  there  exists  a  subset 
R  C  {0,  l}P°ly(fc)  of  possible  randomness  values  for  which  the  following  hold. 

1.  Pr[r  G  i?]  =  1  —  negl(fc),  where  the  probability  is  over  uniformly  sampled 
r  t—  {0,  i}po|y(fc) . 

2.  There  exists  an  efficient  algorithm  Ar  such  that  Ar(t)  =  1  for  r  G  R  and  0 
otherwise. 

3.  With  overwhelming  probability,  Gen  outputs  a  key  pair  (pk,  sk)  such  that 
Decsk(Evalpk((ci)i<i<„, /))  =  f{{xi)t<i<n)  for  all  poly-sized  circuits  f  and 
for  all  R-evolved  ciphertexts  Ci, . . . ,  cn,  where  Xi  =  Decsk(cj). 

Certifiable  FHE  schemes  have  been  shown  to  exist  based  on  the  Learning  with 
Errors  assumption,  together  with  a  circular  security  assumption  (e.g.,  Brakerski 
and  Vaikuntanathan  m  and  Brakerski,  Gentry,  and  Vaikuntanathan  For 
the  readers  who  are  familiar  with  these  constructions,  the  set  of  “good”  certifying 
randomness  R  corresponds  to  encrypting  with  sufficiently  “small  noise.” 

Multisignatures.  A  multisignature  scheme  is  a  digital  signature  scheme  with 
the  ability  to  combine  signatures  from  multiple  signers  on  the  same  message 
into  a  single  short  object  (a  multisignature) o  The  first  formal  treatment  of 
multisignatures  was  given  by  Micali,  Ohta,  and  Reyzin  [[55], 

Definition  3.  A  multisignature  scheme  is  a  tuple  of  PPT  algorithms 
(Gen,  Sign,  Verify,  Combine,  MultiVerify),  where  syntactically  (Gen,  Sign,  Verify)  are 
as  in  a  standard  signature  scheme,  and  Combine,  MultiVerify  are  as  follows: 
Combine({{vk For  disjoint  J\, ... ,  A  C  [n],  takes  as  input  a 
collection  of  signatures  (or  multisignatures)  Ui  with  respect  to  verification 
keys  vkj  for  j  G  R,  and  outputs  a  combined  multisignature,  with  respect  to 
the  union  of  verification  keys. 

2  Note  that  multisignatures  are  a  special  case  of  aggregate  signatures  [8],  which  in 
contrast  allow  combining  signatures  from  n  different  parties  on  n  different  messages. 

Approved  for  Public  Release;  Distribution  Unlimited. 

559 


364  E.  Boyle,  S.  Goldwasser,  and  S.  Tessaro 


MultiVerify({vk,;}jej,  to,  cr):  Verifies  multisignature  a  with  respect  to  the  collec¬ 
tion  of  verification  keys  {vkj}j£/.  Outputs  0  or  1. 

All  algorithms  satisfy  the  standard  natural  correctness  properties,  except  with 
negligible  probability.  Moreover,  the  scheme  is  secure  if  for  any  PPT  adversary 
A,  the  probability  that  the  challenger  outputs  1  in  the  following  game  is  negligible 
in  the  security  parameter  k: 

Setup.  The  challenger  samples  n  public  key-secret  key  pairs,  (vkj,  skj)  Gen(lfc) 
for  each  i  £  [n],  and  gives  A  all  verification  keys  {vkj}igrn].  A  selects  a 
proper  subset  M  C  [n\  (corresponding  to  parties  to  corrupt)  and  receives  the 
corresponding  set  of  secret  signing  keys  {skj}jgM- 
Signing  Queries.  A  may  issue  multiple  adaptive  signature  queries,  of  the  form 
( m,i ).  For  each  such  query,  the  challenger  responds  with  a  signature  a  <— 
Signsk.  (?n)  on  message  m  with  respect  to  the  signing  key  skj. 

Output.  A  outputs  a  triple  ( d*,m *,  I*),  where  d*  is  an  alleged  forgery  multisig¬ 
nature  on  message  m*  with  respect  to  a  subset  of  verification  keys  I*  C  [n\ . 
The  challenger  outputs  1  if  there  exists  i  £  I*  \  M  such  that  the  mes¬ 
sage  m*  was  not  queried  to  the  signature  oracle  with  key  skj,  and  1  <— 
Multi  Verify  ({vkj}je/.  ,m*,  a*). 

The  following  theorem  follows  from  a  combination  of  the  (standard)  signature 
scheme  of  Waters  [H]  together  with  a  transformation  from  this  scheme  to  a 
multisignature  scheme  due  to  Lu  et.  al.  [55]. 

Theorem  2.  1441  dhf  There  exists  a  secure  multisignature  scheme  with  signature 
size  poly(fc)  (independent  of  message  length  and  number  of  potential  signers), 
based  on  the  Bilinear  Computational  Diffie-Hellman  assumption. 

Multi-party  Protocols:  Model  and  Security  Definitions.  We  consider  the  setting 
of  n  parties  V  =  {Pi, ...,  Pn}  within  a  synchronous  network  who  wish  to  jointly 
compute  any  PPT  function  /  over  their  private  inputs.  We  allow  up  to  t  statically 
chosen  Byzantine  (malicious)  faults  and  a  rushing  adversary.  In  our  protocols 
below,  we  consider  t  <  ( ^  —  e)n  for  any  constant  e  >  0.  We  assume  that  every  pair 
of  parties  has  the  ability  to  initiate  direct  communication  via  a  point-to-point 
private,  authenticated  channel.  (However,  we  remark  that  in  our  protocol,  each 
(honest)  party  will  only  ever  send  or  process  information  along  subset  of  only 
polylog(?z)  such  channels.)  We  assume  the  existence  of  a  public-key  infrastruc¬ 
ture,  but  allow  the  adversary’s  choice  of  corruptions  to  be  made  as  a  function  of 
this  public  information. 

The  notion  of  security  we  consider  is  the  standard  simulation-based  definition 
of  secure  multiparty  computation  (MPC),  via  the  real/ideal  world  paradigm. 
Very  loosely,  we  require  that  for  any  PPT  adversary  A  in  a  real-world  execution 
of  the  protocol,  there  exists  another  PPT  adversary  who  can  simulate  the  output 
of  A  given  only  access  to  an  “ideal”  world  where  he  learns  only  the  evaluated 
function  output.  We  refer  the  reader  to,  e.g.,  m  for  a  formal  definition  of 
(standalone)  MPC  security. 
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General  secure  function  evaluation.  The  following  theorem  is  well  known  and 
will  be  use  throughout  this  paper.  Let  C  be  a  circuit  with  n  inputs,  and  let  Fc 
the  functionality  that  computes  the  circuit. 

Theorem  3.  For  any  t  <  n/ 3,  there  exists  a  protocol  that  securely  computes 
the  functionality  Fc  functionality,  with  perfect  security.  The  protocol  proceeds 
in  0(|<C|)  rounds,  and  each  party  sends  poly(n)  messages  of  size  poly (k,n)  each. 

Verifiable  Secret  Sharing.  A  secret  sharing  scheme  is  a  protocol  that  allows  a 
dealer  who  holds  a  secret  input  s,  to  share  his  secret  among  n  parties  such  that 
any  t  parties  do  not  gain  any  information  about  the  secret  s,  but  any  set  of  (at 
least)  t  +  1  parties  can  reconstruct  s.  A  verifiable  secret  sharing  (VSS)  scheme, 
introduced  by  Chor  et  al.  HE  is  a  secret  sharing  scheme  with  the  additional 
guarantee  that  after  the  sharing  phase,  a  dishonest  dealer  is  either  rejected,  or 
is  committed  to  a  single  secret  s,  that  the  honest  parties  can  later  reconstruct, 
even  if  dishonest  parties  do  not  provide  their  correct  shares. 

For  concreteness,  we  consider  a  class  of  VSS  constructions  that  takes  advan¬ 
tage  of  reconstruction  and  secrecy  properties  of  low-degree  polynomials  (431381 . 
In  particular,  security  of  such  a  VSS  protocol  Share  is  formalized  as  emulating  the 
ideal  functionality  FySS  for  parties  Pd,  Pi,  Pn  with  distinguished  dealer  Pd 
such  that  F\zss(q,  (0,  0))  =  (0,  (g(ou), ...,  q(an)))  for  fixed  evaluation  points 

ai,...,an  if  deg(g)  <  t,  and  Fv  ss(<7,  (0,  •••,  0))  =  (0,  (-L,  ...,  -L))  otherwise.  The 
party  can  also  run  a  reconstruction  protocol  Reconst  such  that  if  honest  parties 
input  the  correct  shares  output  by  the  above  functionality  to  them,  then  they 
recover  the  right  value.  The  following  result  is  well  known. 

Theorem  4.  m  For  any  t  <  n/ 3,  there  exists  a  constant-round  protocol  Share 
that  securely  computes  the  F^5 $  functionality,  with  perfect  security.  Each  party 
sends  poly(n)  messages  of  size  0(llogl),  where  l  =  max{|x|,n}. 

Also,  we  will  be  interested  in  the  case  where  the  dealer  D  can  be  any  of  the  n 
parties,  and  he  sends  shares  to  a  subset  P'  of  the  n  parties  of  size  n'  (e.g.,  n'  = 
polylog(n)),  and  we  may  not  necessarily  have  D  £  P' .  The  above  functionality 
can  be  extended  to  this  case  naturally,  and  it  is  a  folklore  result  that  the  protocols 
given  by  the  above  theorem  also  remain  secure  in  this  case  as  long  as  less  than 
a  fraction  1/3  of  the  parties  in  P'  are  corrupted. 

Broadcast.  Another  important  functionality  we  need  to  implement  is  broadcast. 
To  define,  a  broadcast  protocol  can  be  seen  as  an  example  of  an  MPC  imple¬ 
menting  a  functionality  F& c  for  parties  Pd,  Pi,  ...,Pn  with  distinguished  dealer 
Pd,  defined  as  FB c(m,  (0,  ...,0))  =  (0,  (to,  . . . ,  to)))  ,  where  to  is  the  message  to 
be  broadcast. 

Theorem  5.  J2Jfj  For  any  t  <  n/ 3,  there  exists  a  constant-round  protocol  that 
securely  computes  the  FBq  functionality,  with  perfect  security.  Each  party  sends 
poly(n)  messages  of  size  0(\m\)  each. 
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2.2  Random  Switching  Networks  and  Random  Permutations 

Our  protocol  will  employ  what  we  call  an  n-wire  switching  network ,  which  con¬ 
sists  of  a  sequence  of  layers ,  each  layer  in  turn  consisting  of  one  or  more  swapping 
gates  which  decide  to  swap  the  values  of  two  wires  depending  on  a  bit.  Formally, 
given  an  input  vector  x  =  (x\, . . . ,  xn)  (which  we  assume  to  be  integers  wlog),  a 
swap  gate  operation  swap (i,j,x,b)  returns  x where  if  b  =  0  then  x  =  x' ,  and 
if  b  =  1  then  we  have  x\  =  Xj,  x’j  =  Xi,  and  x'k  =  Xk  for  all  k  ^  i,j.  A  switching 
layer  is  a  set  L  =  {{ii,ji),  . . . ,  ( ik,jk )}  of  pairwise-disjoint  pairs  of  distinct  in¬ 
dices  of  [n].  A  d-depth  switching  network  is  a  list  SN  =  {L\, . . . ,  Ld)  of  switching 
layers.  Note  that  for  each  assignment  of  the  bits  of  the  gates  in  SN,  the  network 
defines  a  permutation  from  [n]  to  [n]  by  inputting  the  vector  x  =  (1,2 
to  the  network.  The  question  we  are  asking  is  the  following:  If  we  set  each  bit  in 
each  swap  gate  uniformly  and  independently  at  random,  how  close  to  uniform  is 
the  resulting  permutation?  The  following  theorem  guarantees  the  existence  of  a 
sufficiently  shallow  switching  network  giving  rise  to  an  almost-uniform  random 
permutation. 

Theorem  6.  For  all  c  >  1,  there  exists  an  efficiently  computable  n-wire  switch¬ 
ing  network  of  depth  d  =  0(polylog(n)  •  logc(fc))  (and  size  0(n  ■  d))  such  that 
the  permutation  tt  :  [n]  — ►  [n]  implemented  by  the  network  when  setting  swaps 
randomly  and  independently  has  negligible  statistical  distance  (in  k)  from  a  uni¬ 
formly  distributed  random  permutation  on  [n] . 

Proof.  By  Theorem  1.11  in  [16],  there  exists  such  network  SN  of  depth  d  = 
0(polylog(n))  where  the  statistical  distance  is  of  the  order  O(lfn).  Consider 
now  the  switching  network  SN1  obtained  by  cascading  r  copies  of  SN.  Then, 
when  setting  switching  gates  at  random,  the  resulting  permutation  7?  equals 
tti  o  ■  ■  ■  o  Trn ,  where  7 q  are  independent  permutations  obtained  each  by  setting 
the  gates  in  SN  uniformly  at  random.  With  tt  being  a  random  permutation,  a 
well-known  property  of  the  statistical  distance  Z\(-,-),  combined  with  the  fact 
permutation  composition  gives  a  group  (see  e.g.  [37]  for  a  proof)  yields 

A((k,  tt)  <  2r~1  ■  PJ  A(jTi,ir)  <  O  ^  <  O(2r(1°s2-los(n)))  , 

which  is  negligible  in  k  for  r  =  logc(fc).  □ 

Note  that  in  particular  this  means  that  each  wire  is  connected  to  at  most  d  = 
0(polylog(n)  •  logc(fc))  other  wires  via  a  switching  gates,  as  each  wire  is  part  of 
at  most  one  gate  per  layer. 

2.3  Sublinear  Algorithms 

We  consider  a  model  where  n  inputs  x\, ...  ,xn  are  accessible  to  an  algorithm 
SLA  via  individual  queries  for  indices  i  £  [n].  Formally,  a  Q -query  algorithm 
in  the  n-input  model  is  a  tuple  of  (randomized)  polynomial  time  algorithms 
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SLA  =  (SLA. Sell,  SLA. Seb,  SLA. SelQ,  SLA. Exec).  During  an  execution  with 

inputs  {x\, . . .  ,xn),  SLA. Sell  takes  no  input  and  produces  as  output  a  state  o\ 
and  a  query  index  ii  £  [re],  and  for  j  =  2,  ...,n,  SLA.Sel,,  takes  as  input  a 
state  o'  j — i  and  input  xtjl ,  and  outputs  a  new  state  <jj  and  a  new  query  index 
ij.  Finally,  SLA. Exec  takes  as  input  <jq  and  xq,  and  produces  a  final  output 
y.  We  say  that  SLA  is  sublinear  if  Q  =  o{n).  We  will  also  consider  the  special 
case  of  non- adaptive  algorithms  which  consist  without  loss  of  generality  of  only 
two  randomized  algorithms  SLA  =  (SLA.Sel,  SLA. Exec),  where  SLA.Sel  outputs  a 
subset  /  C  [n]  of  indices  of  inputs  to  be  queried,  and  the  final  output  is  obtained 
by  running  SLA. Exec  on  input 

Examples  of  sublinear  algorithms,  many  of  them  non-adaptive,  include  algo¬ 
rithms  for  property  testing  such  as  testing  sortedness  of  the  inputs,  linearity, 
approximate  counting,  and  numerous  graph  properties,  etc.  Surveying  this  large 
area  and  the  usefulness  of  these  algorithms  goes  beyond  the  scope  of  this  paper, 
and  we  refer  the  reader  to  the  many  available  surveys  [Tj. 

3  Multi-party  Computation  for  Sublinear  Algorithms 

We  present  a  high-level  overview  geared  at  illustrating  the  techniques  used  within 
our  sublinear  algorithm  compiler  (Theorem  2),  which  is  the  more  involved  of 
our  two  results.  For  exposition,  we  focus  on  the  case  of  non-adaptive  algorithms. 
Given  a  Q-query  non-adaptive  sublinear  algorithm  SLA,  we  would  like  to  evaluate 
it  in  a  distributed  fashion  along  the  following  lines.  First,  a  small  committee 
C  consisting  of  polylog(n)  parties  is  elected,  with  the  property  that  at  least 
two  thirds  of  its  members  are  honest.  This  committee  then  jointly  decides  on  a 
random  subset  of  Q  parties  /,  output  by  SLA.Sel,  from  which  inputs  are  obtained. 
The  parties  in  CLil  jointly  execute  a  multi-party  computation  among  themselves 
to  produce  the  output  of  the  sublinear  algorithm  according  to  the  algorithm 
SLA. Exec,  which  is  then  broadcasted  to  all  parties. 

But  things  will  not  be  as  simple.  Interestingly,  one  main  challenge  is  very 
unique  to  the  setting  of  sublinear  algorithms:  An  execution  of  the  protocol  needs 
to  hide  the  subset  I  of  parties  whose  inputs  contribute  to  the  output!  More 
precisely,  an  ideal  execution  of  the  sublinear  algorithm  via  the  functionality 
J'Sla  only  reveals  the  output  of  the  sublinear  algorithm.  Therefore,  we  need  to 
ensure  that  the  adversary  does  not  learn  any  additional  information  about  the 
composition  of  I  from  a  protocol  execution  beyond  what  leaked  via  the  final 
output.  Our  protocol  will  indeed  hide  the  set  /  completely.  This  will  require 
modifying  the  above  naive  approach  considerably. 

The  second  challenge  is  complexity  theoretic  in  nature.  Enforcing  low  com¬ 
plexity  of  our  protocol  when  implementing  the  above  steps,  while  realizing  our 
mechanism  to  hide  the  subset  /,  will  turn  out  to  be  a  delicate  balance  act. 

In  particular,  at  a  high  level  our  protocol  will  consist  of  the  following 
components: 

Committee  Election  Phase.  The  n  parties  jointly  elect  a  supreme  committee 
C,  as  well  as  individual  committees  C\, . . .  ,Cn  on  which  they  all  agree , 

Approved  for  Public  Release;  Distribution  Unlimited. 

563 


368  E.  Boyle,  S.  Goldwasser,  and  S.  Tessaro 


sending  each  at  most  polylog(n)  messages  of  size  each  n -poly  (log  n,  log  k).  All 
committees  have  size  polylog(n)  and  at  least  a  fraction  2/3  of  the  parties  in 
them  are  honest.  As  part  of  this  process,  the  parties  set  up  a  communication 
structure  that  allows  the  supreme  committee  to  communicate  messages  to 
all  parties. 

Commitment  Phase.  Each  party  Pi  commits  to  its  input  so  that  C/  holds 
shares  of  these  inputs. 

Shuffling  Phase.  To  hide  the  access  pattern  of  the  algorithm  (i.e.,  which  in¬ 
puts  are  included  in  the  computation),  the  committees  will  randomly  shuffle 
the  inputs  they  hold  with  respect  to  a  random  permutation  p.  This  will  hap¬ 
pen  by  using  a  switching  network  with  good  shuffling  properties.  For  each 
swap  gate  ( i,j )  in  the  switching  network,  committees  Ci  and  Cj  will  swap  at 
random  the  sharings  they  hold  via  a  multi-party  computation  under  a  ran¬ 
dom  decision  taken  by  the  supreme  committee  C .  The  supreme  committee 
then  holds  a  secret  sharing  of  p. 

Evaluation  Phase.  The  parties  in  the  supreme  committee  C  sample  a  random 
query  set  /  according  to  SLA.Sel  via  MPC  and  learn  p(I)  only.  They  will 
then  include  the  parties  in  committees  Ci  for  i  €  p(I)  in  a  multi-party 
computation  to  evaluate  the  sublinear  algorithm  on  the  inputs  they  hold. 
(Recall  that  C  holds  p  in  shared  form.) 

Output  Phase.  The  supreme  committee  broadcasts  the  output  of  the  compu¬ 
tation  to  all  parties,  using  the  communication  structure  from  the  first  stage. 

In  addition,  we  carefully  implement  sharings  and  multi-party  computations  using 
FHE  to  improve  complexity,  making  the  dependency  of  both  the  communication 
and  round  complexities  linear  in  the  input  length  |x|,  rather  than  polynomial, 
and  independent  of  the  circuit  sizes  to  implement  the  desired  functionalities. 

The  following  paragraphs  provide  a  more  detailed  account  of  the  techniques 
used  within  our  protocol.  In  addition,  a  high-level  description  of  the  protocol 
procedure  is  given  in  Figure  [T] 

Committee  Election  Phase.  The  backbone  behind  this  first  phase  is  given 
by  the  construction  of  a  communication  tree  using  a  technique  of  King  et  al  [34j . 
Such  tree  is  a  sparse  communication  subnetwork  which  will  ensure  both  the 
election  of  the  supreme  committee,  as  well  as  a  basic  form  of  communication 
between  parties  and  the  supreme  committee  where  each  party  communicates 
only  with  polylog(n)  other  parties  and  only  polylog(n)  rounds  of  communication 
are  required.  Informally,  the  protocol  setting  up  the  tree  assigns  (possibly  over¬ 
lapping)  subsets  of  parties  of  polylogarithmic  size  to  the  nodes  of  a  tree  with 
polylogarithmic  height  and  logarithmic  degree.  The  set  of  parties  assigned  to  the 
root  will  take  the  role  the  supreme  committee  C.  Communication  from  the  root 
to  the  parties  (or  the  other  way  round)  occurs  by  communicating  messages  over 
paths  from  the  root  to  the  leaves  of  the  tree,  with  an  overall  communication  cost 
of  polylog(n)  messages  per  party.  To  elect  the  committees  C^. ... ,  Cn ,  we  can 
have  the  supreme  committee  agree  on  the  seed  s  of  a  PRF  family  T  =  {FZ/s  via 
a  coin  tossing  protocol,  where  Fs  maps  elements  of  [n]  to  subsets  of  [n]  of  size 
polylog(n),  and  send  s  to  all  parties.  We  then  let  Ci  =  Fs(i). 
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However,  a  closer  look  reveals  that  it  is  only  possible  for  the  protocol  building 
the  communication  tree  to  enforce  that  a  vast  majority  of  the  nodes  of  the 
tree  are  assigned  to  a  set  of  parties  for  which  a  2/3  majority  is  honest,  but 
some  nodes  are  unavoidably  associated  with  too  large  a  fraction  of  corrupted 
parties.  Indeed,  some  parties  may  be  connected  to  too  many  bad  nodes  and 
their  communication  ends  up  being  essentially  under  adversarial  control.  As  a 
consequence,  the  supreme  committee  is  only  able  to  correctly  communicate  with 
a  1  —  o(l)  fraction  of  the  (honest)  parties.  Moreover,  individual  parties  are  not 
capable  of  determining  whether  the  value  they  hold  is  correct  or  not.  We  refer 
to  this  situation  as  almost- everywhere  (ae)  agreement. 

Our  main  contribution  here  is  the  use  of  cryptographic  techniques  to  achieve 
full  agreement  on  C  and  s  in  this  stage,  while  maintaining  polylog(n)  commu¬ 
nication  locality;  this  improves  on  previous  work  in  the  information-theoretic 
setting  [3213312 lj  which  requires  each  party  to  talk  to  0{yjn  •  polylog(n))  other 
parties  to  reach  agreement.  We  tackle  these  two  issues  in  two  separate  ways. 

1.  From  ae  agreement  to  ae  certified  agreement.  We  first  move  to  a  stage  where 
a  large  1  —  o(l)  fraction  of  the  parties  learn  the  value  sent  by  the  supreme 
committee,  together  with  a  proof  that  the  output  is  the  one  sent  by  the  com¬ 
mittee,  whereas  the  remaining  parties  who  do  not  know  the  output  are  also 
aware  of  this  fact.  We  refer  to  this  scenario  as  almost- everywhere  certified 
agreement.  Let  us  start  with  the  basic  idea  using  traditional  signatures  (we 
improve  on  this  below  using  multisignatures).  After  having  the  supreme  com¬ 
mittee  send  a  value  to  to  all  parties  with  almost-everywhere  agreement,  each 
party  Pi  receiving  a  value  To;  will  sign  to i  with  his  own  signing  key,  producing 
a  signature  a ,.  Then,  Pi  sends  (to*,  ay)  up  the  tree  to  the  supreme  committee, 
and  each  member  will  collect  at  least  n/ 2  signatures  on  ay  on  some  message 
m.  Note  that  this  will  always  be  possible,  as  a  fraction  1  —  o(l)  >  n/ 2  of  the 
honest  parties  will  receive  the  message  mt  =  to  and  send  a  valid  signature  up 
the  tree.  Moreover,  the  adversary  would  need  to  forge  signatures  for  honest 
parties  in  order  to  produce  a  valid  certificate  for  a  message  which  was  not 
broadcast  by  the  supreme  committee. 

2.  From  ae  certified  agreement  to  full  agreement.  We  finally  describe  a  transfor¬ 
mation  from  ae  certified  agreement  to  full  agreement.  If  a  committee  wants 
to  broadcast  m  to  all  parties,  the  committee  additionally  generates  a  seed 
s  for  a  PRF  and  broadcasts  (to,  s )  in  a  certified  way  using  the  above  trans¬ 
formations.  Each  party  i  receiving  (m,  s)  with  a  valid  certificate  ir  forwards 
(to,  s,  7r)  to  all  parties  in  “his”  committee  Fs(i).  Whenever  a  party  receives 
(to,  s,  7 r)  with  a  valid  certificate,  it  stops  and  outputs  to.  Note  that  no  party 
sends  more  than  polylog(n)  additional  messages  in  this  transformation.  More¬ 
over,  it  is  not  hard  to  see  that  with  very  high  probability  every  honest  party 
will  be  in  at  least  one  of  the  Fs(i)  for  a  party  i  who  receives  (to,  s)  correctly 
with  a  certificate,  by  the  pseudorandomness  of  T .  Note  in  particular  that  the 
same  seed  s  can  be  used  over  multiple  executions  of  this  broadcast  procedure 
from  the  committee  to  the  parties,  and  can  be  used  directly  to  generate  the 
committees  Ci, . . . ,  Cn. 
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While  we  do  guarantee  that  every  party  sends  at  most  polylog(n)  messages,  a 
problem  of  the  above  approach  is  the  potentially  high  complexity  of  processing 
incoming  messages  if  dishonest  parties  flood  an  honest  party  by  sending  too 
many  messages.  Namely,  the  t  =  0(n)  corrupted  parties  can  always  each  send 
(m,  s)  with  an  invalid  certificate  to  some  honest  party  Pi ,  who  needs  to  verify 
all  signatures  in  the  certificate  to  confirm  that  these  messages  are  not  valid. 
We  propose  a  solution  based  on  multisignatures  that  alleviates  this  problem  by 
making  certificates  only  consist  of  an  individual  aggregate  signature  (instead  of 
of  0(n)),  as  well  as  of  a  description  of  the  subset  of  parties  whose  signatures 
have  been  aggregated.  The  main  idea  is  to  have  all  parties  initially  sign  the  value 
they  receive  from  the  supreme  committee  with  their  own  signing  keys.  However, 
when  sending  their  values  up  the  tree,  parties  assigned  to  inner  nodes  of  the  tree 
will  aggregate  valid  signatures  on  the  message  which  was  previously  sent  down 
the  tree,  and  keep  track  of  which  signatures  have  contributed. 

Commitment  Phase.  Our  instantiations  of  multi-party  computations  among 
subsets  of  parties  will  be  based  on  fully  homomorphic  encryption  (FHE).  To  this 
end,  we  want  parties  in  each  input  committee  Ci  to  store  an  FHE  encryption 
Enc(pk,irj)  of  the  input  Xi  that  we  want  to  be  committing.  The  FHE  public 
key  pk  is  generated  by  the  supreme  committee  (who  holds  secret  shares  of  the 
matching  secret  key  sk),  and  sent  to  all  parties  using  the  methods  outlined  above. 
A  party  i  is  committed  to  the  value  Xi  if  the  honest  parties  in  Ci  all  hold  the 
same  ciphertext  encrypting  Xi.  This  presents  some  challenges  which  we  address 
and  solve  as  follows: 

1.  First,  a  malicious  party  Pt  must  not  be  able  to  broadcast  an  invalid  cipher- 
text  to  the  members  of  the  committee  Ci.  This  is  prevented  by  appending 
a  simulation-sound  NIZK  argument  it  to  the  ciphertext  c  that  there  exists  a 
message  x  and  “good”  randomness  r  such  that  Enc(pk,  x\r)  =  c. 

2.  Second,  for  a  security  proof  to  be  possible,  it  is  well  known  that  not  only 
the  encryption  needs  to  be  hiding  and  binding,  but  a  simulator  needs  to  be 
able  to  have  some  way  to  extract  the  corresponding  plaintext  from  a  valid 
ciphertext-proof  pair  (c,  it).  A  major  issue  here  is  that  the  simulated  setup 
must  be  independent  of  the  corrupted  set  in  our  model.  This  prevents  the 
use  of  NIZK  arguments  of  knowledge.  Moreover,  we  can  expect  the  FHE 
encryption  to  be  secure  against  chosen  plaintext  attacks  only.  We  will  solve 
this  by  means  of  double  encryption ,  following  Sahai’s  construction  |41j  of  a 
CCA-secure  encryption  scheme  from  a  CPA-secure  one.  Namely,  we  provide 
an  additional  encryption  ci  of  x  under  a  different  public-key  (for  which  no  one 
needs  to  hold  the  secret  key),  together  with  an  additional  NIZK  argument 
that  ci  and  C2  encrypt  the  same  message.  The  ciphertext  C2  will  not  be 
necessary  at  any  later  point  in  time  and  serves  only  the  purpose  of  verifying 
commitment  validity  (and  permitting  extraction  in  the  proof). 

3.  Third,  a  final  problem  we  have  to  face  is  due  to  rushing  adversaries  and  the 
possibility  of  mauling  commitments,  in  view  of  the  use  of  the  same  public 
key  pk  for  all  commitments.  This  can  be  prevented  in  a  black-box  way  by 
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letting  every  party  Pi  first  (in  parallel)  VSS  its  commitment  to  the  parties 
in  Ci ,  and  then  in  a  second  phase  letting  every  committee  Ci  reconstruct 
the  corresponding  commitment.  If  the  VSS  protocol  is  perfectly  secure,  this 
ensures  input-independence. 

Another  challenge  is  how  to  ensure  that  ciphertext  sizes  and  the  associated  NIZK 
proof  length  are  all  of  the  order  |x|  •  poly (fc) ,  instead  of  poly(|x|,  k).  We  achieve 
this  by  encrypting  messages  bit-by-bit  using  a  bit-FHE  scheme,  whose  cipher- 
texts  are  hence  of  length  poly  (A:).  The  corresponding  NIZK  proof  is  obtained 
by  sequentially  concatenating  individual  proofs  (each  of  length  poly  (A;))  for  the 
encryptions  of  individual  bits. 

Shuffling  Phase.  The  major  privacy  issue  in  executing  a  sublinear  algorithm 
in  a  distributed  setting  is  that  the  adversary  must  not  learn  which  parties  have 
contributed  their  inputs  to  the  protocol  evaluation,  beyond  any  information  that 
the  algorithm’s  output  itself  reveals.  Ideally,  we  would  like  parties  to  shuffle  their 
inputs  in  a  random  (yet  oblivious)  fashion,  so  that  at  the  end  of  such  a  protocol 
each  party  Pi  holds  the  input  of  party  Pnu)  for  a  random  permutation  7 r,  but 
such  that  the  adversary  has  no  information  about  the  choice  of  7r  and  for  which 
party  7r(i)  he  holds  an  input.  At  the  same  time,  the  supreme  committee  jointly 
holds  information  about  the  permutation  7r  in  a  shared  way.  Unfortunately,  this 
seems  impossible  to  achieve:  A  disrupting  adversary  may  always  refuse  to  hold 
inputs  for  other  parties.  However,  we  can  now  exploit  the  fact  that  the  inputs 
are  held  by  committees  C\, . . . ,  Cn  containing  a  majority  of  honest  parties. 

The  actual  shuffling  is  implemented  via  distributed  evaluation  of  a  switching 
network  SN,  under  central  coordination  by  the  supreme  committee.  We  assume 
that  a  switching  network  over  n  wires  is  given,  with  depth  d  =  polylog(?z), 
and  is  known  to  everyone,  and  with  the  property  given  by  Theorem  |6j  i.e. ,  it 
implements  a  nearly  uniform  permutation  on  [n]  under  random  switching.  For 
each  swap  gate  (i,j)  in  the  network,  the  supreme  committee  members  jointly 
produce  an  encryption  bij  of  an  (unknown)  random  bit  bij,  indicating  whether 
the  inputs  Xi  and  Xj  are  to  be  swapped  or  not  when  evaluating  the  corresponding 
swapping  gate.  The  value  bij  is  broadcast  to  all  parties  in  Ci  and  Cj.  At  this 
point,  each  party  in  C,  broadcasts  his  copy  of  Xi  to  all  parties  in  Cj,  and  each 
party  in  Cj  does  the  same  with  Xj  to  all  parties  in  Ci.  (Each  party  then,  given 
ciphertexts  from  the  other  committee,  will  choose  the  most  frequent  one  as  the 
right  one.)  Then,  each  party  in  Ci  (or  Cj)  will  update  his  encryption  x.-,  to 
be  an  encryption  of  Dec(sk, Xj)  or  Dec(sk,ij),  depending  on  the  value  of  bij, 
using  homomorphic  evaluation  of  the  swap-or-not  function.  We  note  that  this 
operation  can  be  executed  in  parallel  for  all  gates  on  the  same  layer,  hence  the 
swapping  requires  d  rounds. 

Evaluation  Phase.  Once  the  parties’  inputs  have  been  (obliviously)  shuffled, 
we  are  ready  to  run  the  sublinear  algorithm.  The  execution  is  controlled  by  the 
supreme  committee  C .  First,  the  members  of  C  will  run  an  MPC  to  randomly 
select  the  subset  of  inputs  /  C  [n]  to  be  used  by  the  algorithm.  The  output  of 
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Protocol  for  Non-adaptive  Sublinear  Algorithm  Evaluation  (Overview) 

Committee  Election  Phase 

1.  Execute  almost-everywhere  committee  election  protocol  of  )34)  to  generate  a  com¬ 
munication  tree  together  with  a  committee  C  at  its  root  (where  (1  —  o(l))  fraction 
of  honest  parties  agree  on  C). 

2.  Achieve  certified  almost-everywhere  agreement  on  C  and  individual  committees 
{Ci}i 6[„]  as  follows.  Members  of  C  collectively  sample  a  PRF  seed  s  and  commu¬ 
nicate  it  to  (almost)  all  parties.  Each  Ci  is  defined  by  F3(i).  Every  party  signs  his 
believed  value  of  (C,  s)  and  passes  it  up  the  communication  tree  to  C,  where  agree¬ 
ing  signatures  are  aggregated  into  a  single  multisignature  at  each  inner  node.  The 
message  and  “certificate”  multisignature  that  contains  signatures  from  a  majority 
of  all  parties  is  sent  back  down  the  tree. 

3.  Achieve  full  agreement  on  C,  (Ci};6 rn]  as  follows.  Each  party  Pi  possessing  a  valid 
certificate  n  on  (C,  s)  sends  ( C,s,n )  to  each  party  in  Ci  :=  Fs(i).  Each  party  Pj 
who  does  not  have  a  valid  certificate  listens  for  incoming  messages  and  adopts  the 
first  properly  certified  tuple.  (Note  steps  2-3  enable  C  to  broadcast  messages). 

Commitment  Phase 

4.  Parties  in  the  primary  committee  C  run  the  (standard)  MPC  protocol  of  [5] 
amongst  themselves  to  generate  keys  for  the  FHE  scheme  and  a  second  standard 
PKE  scheme.  Parties  in  C  receive  the  public  keys  pk,  pk'  and  a  secret  share  of  FHE 
key  sk.  They  broadcast  pk,  pk'  to  all  parties. 

5.  In  parallel,  each  party  Pi  acts  as  dealer  to  VSS  the  following  values  to  his  input 
committee  Cp.  (1)  an  FHE  encryption  of  his  input  Xi  <—  Encpk(:ri),  (2)  a  second 
encryption  of  Xi  under  the  standard  PKE  with  pk',  and  (3)  NIZK  proofs  that  Xi 
is  a  valid  encryption  and  the  two  ciphertexts  encrypt  the  same  value. 

Shuffling  Phase 

6.  Parties  in  primary  committee  C  run  an  MPC  to  generate  a  random  permutation 
p,  expressed  as  a  sequence  of  random  swap  bits  in  the  switching  network  SN.  The 
output  is  an  FHE  encryption  p  of  p,  which  they  broadcast  to  all  parties. 

7.  The  committees  Ci  obliviously  shuffle  their  stored  input  values,  as  follows. 

For  each  layer  L\, ...,  Ld  in  the  sorting  network  SN, 

—  Let  Li  =  ((*i,  ji),  •■.,  (*n/2i  Jn/2))  be  the  swapping  pairs  in  the  current  layer  £. 

—  In  parallel,  the  corresponding  pairs  of  committees  (Ci1;  Cj1), ...,  {Cin/2,  Cjn/2) 
exchange  their  currently  held  input  ciphertexts  xp,xq  (using  broadcast  then 
majority  vote)  and  homomorphically  evaluate  the  swap-or-not  function  on 
Xp,xq,  and  the  appropriate  encrypted  swap  bit  b  contained  in  p. 

Outcome:  each  party  in  committee  Ci  holds  encryption  of  input  xp(i). 

Evaluation  Phase 

8.  Parties  in  primary  committee  C  run  an  MPC  to  execute  the  input  selection  proce¬ 
dure  I  <—  SLA.Sel.  The  output  of  the  MPC  is  the  set  of  permuted  indices  p(I)  C  [n]. 

9.  Every  party  in  C  sends  a  message  “Please  send  encrypted  input  £"  to  every  party 
Pj  in  Ce  for  which  i  £  p(7). 

10.  Each  party  Pj  £  Ce  who  receives  consistent  messages  “Please  send  encrypted  input 
€’  from  a  majority  of  the  parties  in  C,  broadcasts  his  currently  held  encrypted  input 
xPl  to  all  parties  in  C.  (Recall  that  this  allegedly  corresponds  to  an  encryption  of 
the  input  xv  held  by  the  committee  Ce  =  CP(P)  after  the  p-permutation  shuffle). 

11.  The  parties  of  C  evaluate  the  second  portion  of  the  sublinear  algorithm,  SLA. Exec 
via  an  MPC.  Each  party  of  C  broadcasts  the  resulting  output  answer  to  all  parties. 

Fig.  1.  High-level  overview  of  the  protocol  TTsla  for  secure  distributed  evaluation  of  a 

non-adaptive  sublinear  algorithm  SLA  =  (SLA.Sel,  SLA. Exec) 
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the  MPC  will  be  the  set  of  permuted  indices  a  (I)  :=  {cr{i)  :  i  G  I}.  The  corre¬ 
sponding  committees  {Cj  :  j  G  ct(/)}  are  invited  to  join  in  a  second  MPC.  Each 
member  of  Cj  enters  the  MPC  with  input  equal  to  his  currently  held  encrypted 
secret  share  (of  some  unknown  input  Xj,  for  which  j  =  cr(i)).  Each  member  of 
C  enters  the  MPC  with  input  equal  to  his  share  of  the  secret  decryption  key  sk. 
Collectively,  the  members  of  C U  (Uj6cr(/)  Cj)  run  an  MPC  which  (1)  recombines 
the  shares  of  sk,  (2)  decrypts  the  secret  shares  held  by  each  Cj,  (3)  reconstructs 
each  of  the  relevant  inputs  Xi,  i  G  I,  from  the  corresponding  set  of  secret  shares, 
(4)  executes  the  sublinear  algorithm  on  the  reconstructed  inputs,  and  (5)  out¬ 
puts  only  the  output  value  dictated  by  the  sublinear  algorithm  (e.g.,  for  many 
algorithms,  this  will  simply  be  YES/NO). 

The  main  challenge  is  making  the  complexity  of  this  stage  such  that 
only  poly(logn,logfc)  rounds  are  executed,  and  only  messages  of  size  |a?|  • 
poly(logfc,logn)  will  be  exchanged.  This  will  be  achieved  by  performing  most  of 
the  computations  locally  via  FHE  by  the  parties  in  the  supreme  committee,  and 
by  generating  the  randomness  to  be  used  in  SLA.Sel  and  SLA. Exec  by  first  agree¬ 
ing  on  a  poly(fc)-sliort  seed  of  a  PRG  via  coin-tossing,  and  then  subsequently 
using  the  PRG  output  as  the  actual  randomness. 

Extension:  Adaptive  Algorithms.  The  above  protocol  can  be  modified  to  accom¬ 
modate  adaptive  sublinear  algorithms  SLA  =  (SLA.Seb, . . . ,  SLA.Sel^,  SLA. Exec) 
simply  by  modifying  the  evaluation  phase  such  that  an  MPC  is  run  for  each 
next-query  SLA.Selj  to  obtain  the  permuted  index  of  the  next  query  p{ij).  Note 
that  without  loss  of  generality  all  queries  are  distinct.  As  a  result  of  this  mod¬ 
ification,  the  number  of  rounds  unavoidably  increases:  Namely,  we  need  0(q) 
additional  rounds  to  obtain  inputs  from  the  committees  C^.)  one  by  one.  How¬ 
ever,  the  proof  and  the  protocol  are  otherwise  quite  similar,  and  we  postpone  a 
more  detailed  description  to  the  final  version  of  this  paper. 
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Abstract 

We  address  the  following  problem:  how  to  execute  any  algorithm  P,  for  an  unbounded 
number  of  executions,  in  the  presence  of  an  adversary  who  observes  partial  information  on 
the  internal  state  of  the  computation  during  executions.  The  security  guarantee  is  that  the 
adversary  learns  nothing,  beyond  P’s  input/output  behavior. 

This  general  problem  is  important  for  running  cryptographic  algorithms  in  the  presence  of 
side-channel  attacks,  as  well  as  for  running  non-cryptographic  algorithms,  such  as  a  proprietary 
search  algorithm  or  a  game,  on  a  cloud  server  where  parts  of  the  execution’s  internals  might  be 
observed. 

Our  main  result  is  a  compiler,  which  takes  as  input  an  algorithm  P  and  a  security  parameter 
k.  and  produces  a  functionally  equivalent  algorithm  P' .  The  running  time  of  P'  is  a  factor 
of  poly(n)  slower  than  P  and  is  composed  of  a  series  of  calls  to  poly{n )  time  computable  sub¬ 
algorithms.  During  the  executions  of  P',  an  adversary  algorithm  A  which  can  choose  the  inputs 
of  P',  can  learn  the  results  of  adaptively  chosen  leakage  functions-  each  of  bounded  output  size 
(1(k)  -  on  the  sub-algorithms  of  P'  and  the  randomness  they  use. 

We  prove  that  for  any  computationally  unbounded  A  observing  the  results  of  computationally 
unbounded  leakage  functions,  will  learn  no  more  from  its  observations  than  it  could  given  black¬ 
box  access  only  to  the  input-output  behavior  of  P.  This  result  is  unconditional  and  does  not 
rely  on  any  secure  hardware  components. 
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1  Introduction 


This  work  addresses  the  question  of  how  to  compute  any  program  P,  for  an  unbounded  number 
of  executions,  so  that  an  adversary  who  can  obtain  partial  information  on  the  internal  states  of 
executions  of  P  on  inputs  of  its  choice,  learns  nothing  about  P  beyond  its  I/O  behavior. 

This  question  is  interesting  for  cryptographic  as  well  as  non-cryptographic  algorithms.  In  the 
setting  of  cryptographic  algorithms,  the  program  P  is  usually  viewed  as  a  combination  of  a  public 
algorithm  with  a  secret  key,  and  the  secret  key  should  be  protected  from  side  channel  attacks.  Step¬ 
ping  out  of  the  cryptographic  context,  P  may  be  a  proprietary  search  algorithm  or  a  novel  numeric 
computation  procedure  which  we  want  to  protect,  say  while  running  on  an  insecure  environment, 
say  a  cloud  server,  where  its  internals  can  be  partially  observed.  Looking  ahead,  our  results  will  not 
rely  on  any  computational  assumptions  and  thus  will  be  applicable  to  non-cryptographic  settings 
without  adding  any  new  conditions.  They  will  hold  even  if  one-way  functions  (and  cryptography 
as  we  know  it)  do  not  exist. 

The  question  of  executing  general  computations  for  an  unbounded  (continual)  number  of  exe¬ 
cutions,  viewed  largely  within  the  context  of  cryptographic  algorithms,  has  been  addressed  in  the 
last  few  years  with  varying  degrees  of  success  in  different  adversarial  settings.  The  crucial  question 
seems  to  be  how  to  model  the  partial  information  or  leakage  that  an  adversary  can  obtain  during 
executions.  The  goal  is  to  simultaneously  capture  real  world  attacks  and  achieve  the  right  level  of 
theoretical  abstraction. 

Impossibility  results  on  obfuscation  [BGI+01]  imply  inherent  limitations  on  the  leakage  that 
can  be  tolerated  in  the  continual  attack  model  for  general  programs  P.  Even  if  only  a  single 
bit  of  leakage  is  output  in  each  execution,  Impagliazzo  [ImplO]  observes  that  if  this  bit  can  be 
computed  as  a  function  of  the  entire  internal  state  of  the  execution,  then  there  exist  polynomial 
time  computable  functions  /,  for  which  no  execution  can  achieve  leakage  resilience.  Thus,  to  rule 
out  this  impossibility,  we  must  put  additional  restriction  on  the  leakage  attack  model. 

1.1  Continual  Leakage  Attack  Models  and  Prior  Work 

We  discuss  a  few  leakage  attack  model  restrictions  and  corresponding  results  which  have  been 
considered  for  the  question  of  protecting  general  programs  under  continual  leakage. 

ISW-L.  The  pioneering  work  of  Ishai,  Sahai,  and  Wagner  [ISW03]  first  considered  the  question 
of  converting  general  algorithms  to  equivalent  leakage  resistant  algorithms.  Their  work  views 
algorithms  as  stateful  circuits  (e.g.  a  cryptographic  algorithm,  whose  state  is  the  secret-key  of  an 
algorithm),  and  considers  adversaries  which  can  learn  the  value  of  a  bounded  number  of  wires  in 
each  execution  of  the  circuit,  whereas  the  values  of  all  other  wires  in  this  execution  are  perfectly 
hidden  and  that  all  internal  wire  values  are  erased  between  executions.  Let  L  be  a  global  bound  on 
the  number  of  wires  that  can  leak.  Then,  they  show  how  to  convert  any  circuit  C  into  a  new  circuit 
C'  of  size  0(16*1  •  L2)  which  is  unconditionally  resilient  to  leakage  of  up  to  L  individual  wire  values. 
In  fact,  their  method  achieves  more.  The  new  circuit  C  is  composed  of  a  sequence  of  sub-circuits, 
each  of  size  0(L2),  of  which  the  value  of  L  arbitrary  wires  can  leak. 

CB-L.  Faust,  Rabin,  Reyzin,  Trorner  and  Vaikuntanathan  [FRR+10]  extended  the  leakage  model 
and  result  of  [ISW03].  They  still  model  an  algorithm  as  a  stateful  circuit,  but  in  every  execution, 
they  let  the  adversary  learn  the  result  of  any  bounded  length  AC0  computable  function  /  on  the 
values  of  all  the  wires.  Let  L  be  a  global  bound  on  the  output  length  of  function  /.  under  the 
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additional  assumption  that  leak  free  hardware  components  exist,  they  show  how  to  convert  any 
circuit  C  into  a  new  circuit  C"  of  size  0(16*1  •  L2),  which  is  resilient  to  leakage  of  the  result  of  / 
computed  on  the  entire  set  of  wire  values.  Similarly  to  [ISW03],  their  method  achieves  actually 
more.  The  new  circuit  C  is  composed  of  a  sequence  of  sub-circuits,  each  of  size  0(L2),  and  is 
resilient  to  L  bits  of  AC0  leakage  on  each  of  these  sub-circuits. 

RAM-L.  the  RAM  model  of  Goldreich  and  Ostrovsky  [G096]  considers  a  CPU,  which  loads  data 
from  fully  protected  memory,  and  runs  its  computations  in  a  secure  CPU.  [G096]  allowed  an  adver¬ 
sary  to  view  the  access  pattern  to  memory  (and  showed  how  to  make  this  access  pattern  oblivious), 
but  assumed  that  the  CPU’s  internals  and  the  contents  of  the  memory  are  perfectly  hidden.1  This 
was  recently  extended  by  Ajtai  [Ajtll].  He  divides  the  execution  into  sub-computations.  Within 
each  sub-computation,  the  adversary  is  allowed  to  observe  the  contents  of  a  constant  fraction  of  the 
addresses  read  from  memory.  These  are  called  the  compromised  memory  accesses  (or  times).  The 
contents  of  the  un-compronrised  addresses,  and  the  contents  of  the  main  memory  not  loaded  into  the 
CPU,  are  assumed  to  be  perfectly  hidden.  Taking  L  to  be  a  security  parameter,  [Ajtll]  shows  how 
to  transform  a  program  P  on  input  size  n,  to  a  program  P'  which  is  divided  into  sub-computations 
of  size  O(L),  and  is  resilient  to  L  compromised  accesses  in  each  sub-computation. 

OC-L.  the  Micali-Reyzin  [MR04]  only-computation  axiom  assumes  that  there  is  no  leakage  in  the 
absence  of  computation,  but  computation  always  does  leak.  This  axiom  was  used  in  the  works 
of  Goldwasser  and  Rothblum  [GR10]  and  by  Juma  and  Vhalis  [JV10],  who  both  transform  an 
input  algorithm  P  (expressed  as  a  Turing  Machine  or  a  boolean  circuit)  into  an  algorithm  P' , 
which  is  divided  into  subcomputations.  An  adversary  can  learn  the  the  value  of  any  (adaptively 
chosen)  polynomial  time  length  bounded  functions,2  computed  on  each  sub-computation’s  input 
and  randomness.  To  obtain  results  in  this  model,  both  [GR10]  and  [ JV 10]  needed  to  assume 
the  existence  of  leak  free  hardware  components  that  produce  samples  from  a  polynomial  time 
sampleable  distribution.  Namely,  it  is  assumed  that  there  is  no  data  leakage  from  the  randomness 
generated  and  the  computation  performed  inside  of  the  device.  Assuming  the  intractability  of  the 
DDH  problem,  [GR10]  transform  P  to  P'  which  is  composed  of  0(\P\)  sub-computations,  each  of 
size  0(poly(L)),  that  is  resilient  to  leakage  of  length  L  on  each  sub-computation.  [JV10]  assume  the 
existence  of  fully  homomorphic  encryption  scheme,  and  get  P'  composed  of  0(1)  sub-computations, 
one  of  which  has  size  0(|P|  -poly(L)).  P'  is  resilient  to  leakage  of  length  L  on  each  sub-computation, 
assuming  that  the  fully  homomorphic  encryption  scheme  cannot  be  broken  in  time  2°A\ 

The  assumptions  on  the  existence  of  leak-free  secure  hardware  components  make  it  possible, 
in  the  security  proofs  of  [GR10]  and  [JV10],  to  argue  that  the  view  of  the  side  channel  attack  in 
the  real  protocol  is  indistinguishable  from  the  view  output  by  a  polynomial  time  simulator,  which 
samples  a  very  different,  but  computationally  indistinguishable,  distribution. 

Finally,  we  mention  that  whereas  our  focus  is  on  enabling  any  algorithm  to  run  securely  in 
the  presence  of  continual  leakage,  continual  leakage  on  restricted  computations  (e.g.  [DP08,  Pie09, 
FKPR10,  BKKV10,  DHLAW10,  LRW11,  LLW11]),  and  on  storage  ([DLWW11]),  has  been  consid¬ 
ered  under  various  additional  leakage  models  in  a  rich  body  of  recent  works.  We  elaborate  on  a 
few  pertinent  results  in  Section  1.4. 

1  alternatively,  they  assume  that  the  memory  contents  are  encrypted,  and  their  decryption  in  the  CPU  is  perfectly 
hidden. 

2In  contrast  to  the  „4C°  restriction  on  /  in  [FRR+10] 
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1.2  The  New  Work 


In  this  paper,  we  address  the  question  of  how  to  transform  any  algorithm  P  into  a  functionally 
equivalent  algorithm  Eval  which  can  be  run  for  an  unbounded  number  of  executions,  in  the  presence 
of  leakage  attacks  on  the  internal  state  of  the  executions.  Before  stating  our  exact  results,  let  us 
describe  the  power  of  our  leakage-adversary,  and  the  security  guarantee  to  be  provided 

Leakage  Adversary.  The  leakage  attacks  we  address  are  in  the  “only  computation  leaks  in¬ 
formation”  model  of  [MR04].  The  algorithm  Eval  will  be  composed  of  a  sequence  of  calls  to 
sub-computations.  The  leakage  adversary  Ax,  on  input  a  security  parameter  1K,  can  (1)  specify 
a  polynomial  number  of  inputs  to  P  and  (2)  per  execution  of  Eval  on  input  x,  request  for  every 
sub-computation  of  Eval,  any  A  bits  of  information  of  its  choice,  computed  on  the  entire  internal 
state  of  the  sub-computation,  including  any  randomness  the  sub-computation  may  generate. 

We  stress  that  we  did  not  put  any  restrictions  on  the  complexity  of  the  leakage  Adversary  Ax, 
and  that  the  requested  A  bits  of  leakage  may  be  the  result  of  computing  a  computationally  un¬ 
bounded  function  of  the  internal  state  of  the  sub-computation.  This  is  in  contrast  to  previous  works 
that  only  allow  the  adversary  to  obtain  polynomial-time  computable  functions  of  the  execution’s 
internal  state  [GR10,  JV10,  BKKV10,  DHLAW10,  LRW11,  LLW11,  DLWW11]. 

Security  Guarantee.  Informally,  the  security  guarantee  that  we  provide  will  be  that  for  any 
leakage  adversary  Ax,  whatever  Ax  can  compute  during  the  execution  of  Eval,  it  can  compute 
with  black-box  access  to  the  algorithm  P.  Formally,  this  is  proved  by  exhibiting  a  simulator  which, 
for  every  leakage-adversary  Ax,  given  black  box  access  to  the  functionality  P ,  simulates  a  view 
which  is  statistically  indistinguishable  from  the  real  view  of  Ax  during  executions  of  Eval  .  The 
simulated  view  will  contains  the  results  of  I/O  calls  to  P,  as  well  as  results  of  applying  leakage 
functions  on  the  sub-computations  as  would  be  seen  by  Ax.  The  running  time  of  the  simulator  is 
polynomial  in  the  running  time  of  Ax  and  the  running  time  of  the  leakage  functions  Ax  chooses. 

Informal  Main  Theorem.  We  show  a  compiler  that  takes  as  input  a  program,  in  the  form  of  a 
circuit  family  {Cn},  a  secret  state  y  G  {0,  l}n,  and  a  security  parameter  n,  and  produces  as  output 
a  description  of  an  uniform  stateful  algorithm  Eval  such  that: 

1.  Eval(x)  =  C(y,x)  for  all  inputs  x. 

2.  The  execution  of  Eval(x)  for  |x|  =  n,  will  consist  of  0(\Cn\)  sub-computations,  each  of 
complexity  (time  and  space)  0(poly(n)). 

3.  There  exists  a  simulator  Sim,  a  leakage  bound  A (k)  =  Cl(n),  and  a  negligible  distance  bound 
5(k),  such  that  for  every  leakage- adversary  Ax ^  and  n  €  N: 

Simc{lK’,A)  is  <5(ft)-statistically  close  to  view(Ax),  where  Simc(\K,A)  denotes  the  output 
distribution  of  Sim,  on  input  the  description  of  A,  and  with  black-box  access  to  C.  view(Ax) 
is  the  view  of  the  leakage  adversary  during  a  polynomial  number  of  executions  of  Eval  on 
inputs  of  its  choice.  The  running  time  of  Sim  is  polynomial  in  that  of  A  and  that  of  the 
leakage  functions  chosen  by  A.  The  number  of  oracle  calls  made  is  always  poly(«:). 

Our  result  holds  unconditionally,  without  the  use  of  computational  assumptions  or  leak-free 
hardware.  In  Section  2  we  give  an  overview  of  the  construction,  and  highlight  some  of  the  new 
technical  ideas  of  our  work. 
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OC-L  and  the  Leaky  CPU  Model.  An  alternative  model  to  OC-L  is  that  of  a  leaky  CPU. 
We  proceed  with  an  informal  description  of  this  model.  Computations  are  run  on  a  RAM  with  two 
components: 

1.  A  CPU  which  executes  instructions  from  a  fixed  set  of  special  universal  instructions,  each  of 
size  poly(fv)  for  a  security  parameter  n. 

2.  A  memory  that  stores  the  program,  input,  output,  and  intermediate  results  of  the  computa¬ 
tion.  The  CPU  fetches  instructions  and  data  and  stores  outputs  in  this  memory. 

The  adversary  model  is  as  follows: 

1.  For  each  program  instruction  loaded  and  executed  in  the  CPU,  the  adversary  can  learn  the 
value  of  an  arbitrary  and  adaptively  chosen  leakage  function  of  bounded  output  length  (output 
length  U(k)  in  our  results).  The  leakage  function  is  applied  to  the  instruction  executed  in  the 
CPU  -  namely,  it  is  a  function  of  all  inputs,  outputs,  randomness,  and  intermediate  wires  of 
the  CPU  instruction  being  executed. 

2.  Contents  of  memory,  when  not  loaded  into  the  CPU,  are  hidden  from  the  adversary. 

Our  result,  stated  in  this  model,  provides  a  fixed  set  of  CPU  instructions,  and  a  compiler  which 
can  take  any  polynomial  time  computation  (say  given  in  the  form  of  a  boolean  circuit),  and  compile 
it  into  a  program  that  can  be  run  on  this  leaky  CPU.  A  leakage  adversary  as  above,  who  can  specify 
inputs  to  the  compiled  program  and  observe  its  outputs,  learns  nothing  from  the  execution  beyond 
its  input-out  behavior. 

Comparison  to  Prior  Work.  We  now  compare  our  main  result  to  prior  work  on  protecting 
general  programs  under  continual  leakage.  See  Section  1.4  for  other  related  work. 

Comparing  to  the  work  of  Ishai,  Sahai  and  Wagner  [ISW03]  in  the  ISW-L  leakage  model,  they 
convert  any  circuit  C  into  a  new  circuit  C' ,  which  is  composed  of  0(1(71)  sub-circuits  each  of 
size  0(T2),  and  allow  the  leakage  of  L  arbitrary  wires  from  each  sub-circuit.  Our  transformation 
converts  C  into  0(|(7|)  sub-circuits,  each  of  size  0(L“),  from  which  L  arbitrary  bits  of  information 
can  be  leaked  (here  oj  is  the  exponent  in  the  best  algorithm  known  for  matrix  multiplication). 
These  leaked  bits  can  be  the  output  of  arbitrary  computations  on  the  wire  values. 

Comparing  to  the  work  of  Faust  et  al.  [FRR+10]  in  the  CB-L  model,  the  main  differences  are 
(i)  that  construction  used  secure  hardware,  whereas  we  do  not  use  secure  hardware,  and  ( ii )  in 
terms  of  the  class  of  leakage  tolerated,  they  can  handle  bounded-length  AC0  leakage  on  the  entire 
computation  of  each  execution.  We,  on  the  other  hand,  can  handle  arbitrary  length  bounded  OC-L 
leakage  that  operates  separately  (if  adaptively)  on  each  sub-computation. 

Comparing  to  the  work  of  Ajtai  [ Aj til]  in  the  RAM-L  model,  he  divides  the  computation  into 
sub-computations  of  size  O(L),  and  shows  resilience  to  an  adversary  who  see  the  full  contents 
of  memory  loaded  into  CPU  for  L  memory  accesses,  whereas  all  the  other  memory  accesses  are 
perfectly  hidden.  Translating  our  result  to  the  RAM  model,  we  divide  the  computation  into  sub¬ 
computations  of  size  0(L“),  and  show  resilience  against  an  adversary  that  can  receive  L  arbitrary 
bits  of  information  on  the  entire  set  of  memory  accesses  and  randomness.  In  particular,  there  are 
no  protected  or  hidden  accesses. 

Comparing  to  the  work  of  Goldwasser  and  Rothblum  [GR10]  and  of  Juma  and  Vhalis  [JV10]  in 
the  OC-L  model,  the  main  qualitative  difference  is  that  both  of  those  prior  works  use  computational 
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intractability  assumptions  and  secure  hardware.  Our  result,  on  the  other  hand,  is  unconditional 
and  uses  no  secure  hardware  components.  In  terms  of  quantitative  bounds,  for  security  parameter 

k.  [JV10]  transform  a  circuit  of  size  C  into  a  new  circuit  C'  of  size  poly  (ft)  -\C\.  The  new  circuit  C 
is  composed  of  0(1)  sub-circuits  (one  of  the  subcircuits  is  of  size  poly(ft)  •  |C|).  Assuming  a  fully- 
homomorphic  encryption  scheme  that  is  secure  against  adversaries  that  run  in  time  exp(0(L)),  their 
construction  can  withstand  L  bits  of  leakage  on  each  sub-circuit.  For  example,  if  the  FHE  is  secure 
against  poly(ft)-time  adversaries,  then  the  leakage  bound  is  0( log  ft).  In  our  new  construction,  for 
leakage  parameter  L,  there  are  0(|C|)  sub-computations  (i.e.  more  sub-computations),  each  of  size 
0(LU)  (i.e.  smaller),  and  each  withstanding  L  bits  of  leakage  (i.e.  the  amount  of  leakage  we  can 
tolerate,  relative  to  the  sub-computation  size,  is  larger).  The  quantitative  parameters  of  [GR10] 
are  similar  to  the  current  work  (up  to  polynomial  factors). 

Subsequent  Related  Work.  The  compiler  provided  in  this  work,  and  the  new  tools  introduced 
in  its  construction,  have  been  used  in  several  subsequent  works. 

Bitansky  et  al.  [BCG+11]  use  the  compiler  to  obfuscate  programs  using  leaky  secure  hardware. 
In  a  nutshell,  they  run  each  “sub-computation”  on  a  separate  leaky  secure  hardware  component. 
The  new  challenge  in  that  setting  is  providing  security  even  when  the  communication  channels 
between  the  components  are  observed  and  controlled  by  an  adversary. 

Boyle  et  al.  [BGJK12]  use  the  compiler  to  build  secure  MPC  protocols  that  are  resilient  to  cor¬ 
ruptions  of  a  constant  fraction  of  the  players  and  to  leakage  on  each  of  the  players  (separately) .  The 
MPC  should  output  a  function  of  the  players’  inputs  computed  by  some  circuit  C .  Intuitively,  one 
can  think  of  each  player  in  the  MPC  as  running  one  of  the  “sub-computations”  in  a  compilation  of 
C  using  our  OC-L  compiler.  The  additional  challenges  here  are  both  adversarial  monitoring/control 
of  the  communication  channels  and  (more  significantly)  that  the  adversary  may  completely  corrupt 
many  of  the  players/sub-computations. 

Using  the  idea  of  ciphertext  banks ,  a  technical  tool  introduced  in  this  work,  [Rotl2]  gives  a 
compiler  for  AC0  leakage  in  the  CB-L  model.  The  new  compiler  removes  the  need  for  secure 
hardware  components  that  was  present  in  the  work  of  [FRR+10],  but  its  security  relies  on  an 
unproven  computational  assumption  about  the  power  (or  rather,  the  weakness)  of  AC0  circuits 
with  pre-processing. 

l. 3  Connections  with  Obfuscation 

We  remark  that  while  protecting  cryptographic  algorithms  from  side  channels  is  an  immediate 
application  (and  motivation)  for  this  work,  the  question  of  protecting  computations  is  interesting 
for  non-cryptographic  computations,  e.g.  if  one-way  functions  do  not  exist.  In  particular,  our  results 
do  not  rely  on  cryptographic  assumptions  and  so  they  would  continue  to  hold.  As  a  motivating 
example,  consider  a  proprietary  algorithm  running  on  a  cloud  server,  where  parts  of  its  internals 
might  be  observed. 

This  motivating  example  brings  to  light  the  fascinating  connection  between  the  problem  of  code 
obfuscation  and  leakage  resilience  for  general  programs.  In  a  nut-shell,  one  may  think  of  obfuscation 
of  an  algorithm  as  the  ultimate  “leakage  resilient”  transformation:  If  successful,  it  implies  that  the 
resulting  algorithm  can  be  “fully  leaked”  to  the  adversary  -  it  is  under  the  adversary’s  complete 
control!  Since  we  know  that  full  and  general  obfuscation  is  impossible  [BGI+01],  we  must  relax 
the  requirements  on  what  we  may  hope  to  achieve  when  obfuscating  a  circuit.  Leakage  resilient 
versions  of  algorithms  can  be  viewed  as  one  such  relaxation.  In  particular,  one  may  view  our 
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result  as  showing  that  although  we  cannot  protect  general  algorithms  if  we  give  the  adversary 
complete  view  of  code  which  implements  the  algorithm  (i.e  obfuscation),  nevertheless  we  can  (for 
any  algorithm)  allow  an  adversary  to  have  a  “partial  view”  of  the  execution  and  only  learn  its 
black-box  functionality.  In  our  work,  this  “partial  view”  is  as  defined  by  the  “only  computation 
leaks”  leakage  attack  model. 

The  recent  work  of  Bitansky  et  al.  [BCG+11],  mentioned  above,  makes  the  connection  between 
obfuscation  and  the  OCL  attack  model  even  more  explicit.  They  first  strengthen  the  requirement 
of  OCL  attack  model  to  allow  the  adversary  to  control  the  order  of  the  execution  of  the  sub¬ 
components  (they  call  this  DCL).  They  then  show  that  any  compiler  that  converts  stateful  circuits 
into  circuits  that  are  secure  in  the  DML  model,  implies  the  possibility  of  obfuscation  of  any  program 
given  simple  hardware  components  which  themselves  are  subject  to  memory  leakage  attacks. 

1.4  Other  Related  Work 

Constructions  in  the  OCL  Leakage  Model.  Various  constructions  of  particular  cryptographic 
primitives  [DP08,  Pie09,  FKPR10],  such  as  stream  ciphers  and  digital  signatures,  have  been  pro¬ 
posed  in  the  OCL  attack  model  and  proved  secure  under  various  computational  intractability  as¬ 
sumptions.  The  approach  in  these  results  was  to  consider  leakage  in  design  time  and  construct  new 
schemes  which  are  leakage  resilient,  rather  than  a  general  transformation  on  non  leakage- resilient 
schemes 

In  the  context  of  a  bounded  number  of  executions,  we  remark  that  the  work  of  Goldwasser, 
Kalai  and  Rothblum  [GKR08]  on  one-time  programs  imply  that  any  cryptographic  functionality 
can  be  executed  once  in  the  presence  of  OCL  attack  after  the  initial  compilation  is  done.  There  any 
data  that  is  ever  read  or  written  can  leak  in  its  entirety  (i.e  tolerate  the  identity  leakage  function). 
This  holds  under  the  assumption  that  one-way  functions  exist  and  requires  no  secure  hardware. 
The  idea  is  that  in  the  compilation  stage,  one  transforms  the  cryptographic  algorithm  into  a  one¬ 
time  program  with  one  crucial  difference.  Whereas  one-time  programs  use  special  hardware  based 
memory  to  ensure  that  only  certain  portions  of  this  memory  cannot  be  read  by  the  adversary 
running  the  one-time  program,  in  the  context  of  leakage  the  party  who  runs  the  one-time  program 
is  not  an  adversary  but  rather  the  honest  user  attempting  to  protect  himself  against  OCL  attacks. 
In  the  compilation  stage,  the  honest  user,  stores  the  entire  content  of  the  special  hardware  based 
memory  of  [GKR08]  in  ordinary  memory.  At  the  execution  stage,  the  user  can  be  trusted  to  only 
read  those  memory  locations  necessary  to  run  the  single  execution.  Since  an  OCL  attack  can  only 
view  the  contents  of  memory  which  are  read,  the  execution  is  secure.  We  further  observe  that 
the  follow  up  work  of  Goyal  et  al.  [GIS+10]  on  one-time  programs,  which  removes  the  need  for 
the  one-way  function  assumption,  similarly  implies  that  any  cryptographic  functionality  can  be 
executed  once  in  the  presence  of  OCL  attacks  unconditionally. 

Specific  Cryptographic  Primitives  in  the  Continual  Memory  Leakage  Model.  The  con¬ 
tinual  memory-leakage  attack  model  for  public  key  encryption  and  digital  signatures  was  introduced 
by  Brakerski  et  al.  [BKKV10]  and  Dodis  et  al.  [DHLAW10].  They  consider  a  model  where  an 
adversary  can  periodically  compute  arbitrary  polynomial  time  functions  of  bounded  output  length 
L  on  the  entire  secret  memory  of  the  device.  The  device  has  an  internal  notion  of  time  periods 
and,  at  the  end  of  each  period,  it  updates  its  secret  key,  using  some  fresh  local  randomness,  main¬ 
taining  the  same  public  key  throughout.  As  long  as  the  rate  at  which  the  adversary  can  compute 
its  leakage  functions  is  slower  than  the  update  rate,  [BKKV10,  DHLAW10,  LRW11,  LLW11]  can 
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construct  leakage  resilient  public-key  primitives  which  are  still  semantically  secure  under  various 
intractability  assumptions  on  problems  on  bi-linear  groups.  The  continual  memory  leakage  model 
is  quite  strong:  it  does  not  restrict  the  leakage  functions,  as  in  say  ISW-L,  to  output  individual 
wire  values,  or  as  in  CB-L,  to  AC0  bounded  functions,  nor  does  it  restrict  the  leakage  functions 
to  compute  locally  on  sub-computations,  as  in  RAM-L  or  OC-L.  However,  as  pointed  out  by  the 
impossibility  result  discussed  above,  this  model  cannot  offer  the  kind  of  generality  or  security  that 
we  are  after.  In  particular,  the  results  in  [BKKV10,  DHLAW10,  LRW11,  LLW11]  do  not  guarantee 
that  the  view  the  attacker  obtains  during  the  execution  of  a  decryption  algorithm  is  “computa¬ 
tionally  equivalent”  to  an  attacker  viewing  only  the  I/O  behavior  of  the  decryption  algorithm.  For 
example,  say  an  adversary’s  goal  in  choosing  its  leakage  requests  is  to  compute  a  bit  about  the 
plain-text  underlying  ciphertext  c.  In  the  [BKKV10,  DHLAW10]  model,  it  will  simply  compute  a 
leakage  function  that  decrypts  c,  and  output  the  requested  bit.  This  could  not  be  computed  from 
the  view  of  the  I/O  of  the  decryption  algorithms  decrypting  ciphertexts  which  are  unrelated  to  c. 

Continual  Leakage  on  a  Stored  Secret.  A  recent  independent  work  of  Dodis,  Lewko,  Waters, 
and  Wichs  [DLWW11],  addresses  the  problem  of  how  to  store  a  value  S  secretly  on  devices  that 
continually  leak  information  about  their  internal  state  to  an  external  attacker.  They  design  a 
leakage  resilient  distributed  storage  method:  essentially  storing  an  encryption  of  S  denoted  Esk(S) 
on  one  device  and  storing  sk  on  another  device,  for  a  semantically  secure  encryption  method 
E  which:  (i)  is  leakage  resilient  under  the  linear  assumption  in  prime  order  groups,  and  (ii)  is 
’’refreshable”  in  that  the  secret  key  sk  and  Esk(S )  can  be  updated  periodically.  Their  attack  model 
is  that  an  adversary  can  only  leak  on  each  device  separately,  and  that  the  leakage  will  not  ’’keep 
up”  with  the  update  of  sk  and  Es^(S).  One  may  view  the  assumption  of  leaking  separately  on  each 
device  as  essentially  a  weak  version  of  the  only  computation  leak  axiom,  where  locality  of  leakage 
is  assumed  per  “device”  rather  than  per  “computation  step” .  We  point  out  that  storing  a  secret  on 
continually  leaky  devices  is  a  special  case  of  the  general  results  described  above  [ISW03,  FRR+10, 
GR10,  JV10]  as  they  all  must  implicitly  maintain  the  secret  “state”  of  the  input  algorithm  (or 
circuit)  throughout  its  continual  execution.  The  beauty  of  [DLWW11]  is  that  no  interaction  is 
needed  between  the  devices,  and  they  can  update  themselves  asynchronously. 

We  proceed  to  present  an  overview  of  our  compiler  and  highlight  some  of  our  main  technical 
contributions  in  Section  2  below.  The  full  definitions,  tools,  and  specifications  of  the  compiler  are 
in  the  subsequent  sections.  See  the  roadmap  in  Section  2.4. 

2  Compiler  Overview  and  Technical  Contributions 

The  main  contribution  of  this  paper  is  a  compiler  which  takes  any  algorithm  in  the  form  of  a  boolean 
circuit  and  transforms  it  into  a  functionally  equivalent  probabilistic  stateful  algorithm.  A  user  can 
run  this  transformed  secure  algorithm  for  an  unbounded  (polynomial)  number  of  executions.  The 
security  guarantee  is  that  any  computationally  unbounded  adversary  who  launches  a  leakage  attack 
on  the  algorithm’s  executions,  learns  nothing  more  than  the  input-output  behavior. 

In  this  section,  we  will  give  an  overview  of  the  compiler,  its  main  components,  and  the  technical 
ideas  introduced.  The  transformed  secure  algorithm  is  executed  repeatedly,  on  a  sequence  of  inputs 
chosen  by  an  adversary.  Each  execution  of  the  transformed  secure  algorithm  proceeds  by  a  sequence 
of  sub-computations,  and  the  adversary’s  view  of  each  execution  is  through  the  results  of  a  sequence 
of  leakage  functions  (chosen  adaptively  and  with  bounded  output  length),  applied  to  these  sub- 
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computations. 

The  first  component  in  our  construction  is  a  leakage-resilient  one-time  pad  cryptosystem  (LROTP), 
which  we  refer  to  as  the  subsidiary  cryptosystem.  See  Section  2.1  for  further  details.  We  remark 
that  it  is  important  to  distinguish  between  the  leakage  resilience  of  the  secure  transformed  algo¬ 
rithm,  and  the  leakage  resilience  of  the  subsidiary  LROTP  keys  and  ciphertexts.  Whereas  the 
LROTP  scheme  retains  security  even  after  direct  applications  of  bounded  output  length  leakage  on 
the  LROTP  keys  and  ciphertexts  (separately),  the  security  guarantee  for  the  transformed  algorithm 
is  that,  even  under  a  leakage  attack  on  its  execution,  there  is  will  be  no  leakage  at  all  on  its  internal 
state  or  secrets.  All  that  an  adversary  can  learn  is  its  input-output  behavior. 

Our  compiler  transforms  a  program  by  encrypting  the  bits  of  its  description  using  the  LROTP 
cryptosystem.  In  Section  2.2,  we  show  how  to  use  these  encryptions  to  compute  the  program’s 
output  on  a  single  given  input.  This  “one-time”  safe  evaluation  is  resilient  to  OC  leakage  attacks. 
The  main  new  component  we  use  is  a  procedure  for  “safe  homomorphic  evaluation”  of  LROTP- 
encrypted  bits. 

In  Section  2.3  we  show  how  to  extend  the  one-time  safe  evaluation  to  any  polynomial  number  of 
safe  evaluations.  This  yields  a  compiler  that  is  secure  against  continual  OC  leakage  attacks.  Here 
we  use  a  new  technical  tool  of  “ciphertext  banks”,  which  allow  us  to  repeatedly  generate  secure 
ciphertexts  even  under  leakage. 

2.1  Leakage-Resilient  One  Time  Pad 

Our  construction  uses  a  leakage  resilient  one-time  pad  cryptoscheme  (LROTP)  as  one  of  its  main 
components.  This  simple  private- key  encryption  scheme  uses  a  vector  key  €  {0, 1}K  as  its  secret  key, 
and  each  ciphertext  is  also  a  vector  c  €  {0, 1}K.  The  plaintext  underlying  c  (under  key )  is  the  inner 
product:  D eery pt (key,  c)  =  ( key,c }.  The  scheme  maintains  the  invariants  that  key[ 0]  =  l,c[l]  =  1, 
for  any  key  and  ciphertext  c.  We  generate  each  key  to  be  uniformly  random  under  this  invariant. 
To  encrypt  a  bit  b,  we  choose  a  uniformly  random  c  s.t.  c[l]  =  1  and  Decrypt(key,  c)  =  b. 

The  LROTP  scheme  is  remarkably  well  suited  for  our  goal  of  transforming  general  computations 
to  resist  leakage  attacks.  In  particular,  we  highlight  several  properties  of  LROTP,  specified  below, 
that  are  used  in  our  construction.  See  Section  4  for  further  details. 

•  Semantic  Security  under  Multi-Source  Leakage.  Semantic  security  of  LROTP  holds 
against  an  adversary  who  launches  leakage  attacks  on  both  a  key  and  a  ciphertext  encrypted 
under  that  key.  This  might  seem  impossible  at  first  glance.  The  reason  it  is  facilitated  is 
two-fold:  first  due  to  the  nature  of  our  attack  model,  where  the  adversary  can  never  apply 
a  leakage  function  to  the  ciphertext  and  the  secret-key  simultaneously  (otherwise  it  could 
decrypt);  second,  the  leakage  from  the  ciphertext  is  of  bounded  length.  This  ensures  that 
the  adversary  cannot  learn  enough  of  the  ciphertext  to  be  useful  for  it  at  a  later  time,  when 
it  could  apply  an  adaptively  chosen  leakage  function  to  the  secret  key  (otherwise,  again,  it 
could  decrypt). 

Translating  this  reasoning  into  a  proof,  we  show  that  semantic  security  is  retained  under 
concurrent  attacks  of  bounded  leakage  O(k)  length  on  key  and  c.  As  long  as  leakage  is 
of  bounded  length  and  operates  separately  on  key  and  on  c,  they  remain  (w.lr.p.)  high 
entropy  sources,  and  are  independent  up  to  their  inner  product  equaling  the  underlying 
plaintext.  We  call  such  sources  independent  up  to  orthogonality,  see  Definition  3.10.  Since 
the  inner  product  function  is  a  two-source  extractor  (see  Lemma  3.7),  the  underlying  plaintext 
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is  statistically  close  to  uniformly  random  even  given  the  leakage.  Moreover,  this  is  true  even 
for  computationally  unbounded  adversaries  and  leakage  functions. 

To  ensure  that  the  leakage  operates  separately  on  key  and  c,  we  take  care  in  our  construction 
not  to  load  ciphertexts  and  keys  into  working  memory  simultaneously.  There  will  be  one 
exception  to  this  rule  (see  below),  where  a  key  and  ciphertext  will  be  loaded  into  working 
memory  simultaneously,  but  this  will  be  done  only  after  ensuring  that  the  ciphertext  are 
“blinded”  and  contain  no  sensitive  information. 

•  Key  and  Ciphertext  Refreshing.  We  give  procedures  for  “refreshing”  LROTP  keys  and 
ciphertexts,  injecting  new  entropy  while  maintaining  the  underlying  plaintexts.  We  overview 
here  the  case  of  key  refresh,  ciphertext  refresh  is  similar.  The  key  entropy  generator  outputs 
a  uniformly  random  a  €  {0, 1}K  s.t.  ct[0]  =  0.  This  o  is  used  to  inject  new  entropy  in  the 
key  by  updating  key'  <—  ( key  ©a),  so  that  key'  is  a  uniformly  random  key,  independent  of 
key.  a  can  also  be  used  on  its  own  and  without  knowledge  of  the  key,  to  “correlate”  c  to  a 
new  ciphertext  ef  s.t.  D eery pt. (key' ,  (?)  =  Decrypt(key ,  c).  The  requirement  that  refreshing  on 
ciphertexts  must  not  use  the  key,  is  due  to  the  fact  that  we  always  want  to  avoid  loading  the 
ciphertext  and  key  into  memory  at  once  (otherwise  a  leakage  attack  can  decrypt  and  learn 
the  plaintext).  It  follows  that  without  any  leakage,  the  new  key  or  ciphertext  is  a  uniformly 
random  one  that  maintains  the  underlying  plaintext. 

In  this  work,  key  and  ciphertext  refreshing  is  used  to  obtain  security  properties  even  in  the 
presence  of  leakage.  One  task  that  we  will  consider  is  permuting  m  key-ciphertext  pairs  that 
all  have  the  same  underlying  plaintext.3  We  refresh  all  m  pairs  and  then  permute  them  using 
a  random  permutation  7 r.  If  there  is  no  leakage  on  this  refresh-and-permute  procedure,  then  it 
follows  that  even  given  the  m  input  key-ciphertext  pairs,  and  the  m  refreshed-and-permuted 
pairs,  the  permutation  used  looks  uniformly  random.  Furthermore,  even  if  there  is  a  bounded 
amount  of  leakage  on  the  refresh-and-permute  procedure,  the  distribution  of  the  permutation 
used,  given  all  input  and  output  key-ciphertext  pairs,  will  have  high  entropy. 

The  example  above  shows  that  a  single  application  of  key-ciphertext  refresh  can  give  security 
guarantees  even  in  the  presence  of  OC  leakage.  In  particular,  it  maintains  security  of  the 
underlying  plaintext.  It  is  natural  to  hope  that  a  large  number  of  composed  applications  of 
refresh  to  a  key-ciphertext  pair  also  maintains  security  of  the  underlying  plaintext.  However, 
after  a  large  enough  number  of  composed  application,  an  OC  leakage  adversary  can  success¬ 
fully  reconstruct  the  underlying  plaintext.  This  attack  is  described  in  Section  4.2.  Intuitively, 
it  “kicks  in”  once  the  length  of  the  accumulated  leakage  is  a  large  constant  fraction  of  the 
key  and  ciphertext  length.  Our  construction  uses  composed  applications  of  refresh,  but  we 
take  care  that  the  accumulated  leakage  is  never  a  large  enough  fraction  of  the  key-ciphertext 
length.  We  show  that  the  security  properties  we  use  are  maintained  under  a  bounded  number 
of  composed  applications  of  refresh. 

•  Homomorphic  Addition.  For  key  and  two  ciphertexts  c\,c.2,  we  can  homomorphically  add 
by  computing  if  (ci  ©  C2).  By  linearity,  the  plaintext  underlying  (f  is  the  XOR  of  the 
plaintexts  underlying  c\  and  ?2- 

3To  be  precise,  we  will  consider  a  related  task  or  independently  permuting  m  sets,  each  comprising  4  key-ciphertext 
pairs,  and  the  ciphertexts  in  each  set  will  not  all  have  the  same  underlying  plaintexts.  We  find  the  simplified  question 
of  permuting  m  pairs  with  the  same  underlying  plaintext,  as  considered  here,  to  be  illuminating. 
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We  note  that  the  construction  in  [GR10]  relied  on  several  similar  properties  of  a  computationally 
secure  public-key  leakage  resilient  scheme:  the  BHHO/Naor-Segev  scheme  [BHHO08,  NS09].  Here 
we  achieve  these  properties  with  information  theoretic  security  and  without  relying  on  intractability 
assumptions  such  as  Decisional  Diffie  Heilman. 

2.2  Leakage-Resilient  Compiler  Overview:  One-Time  Secure  Evaluation 

Here  we  describe  the  high-level  structure  of  the  compilation  and  evaluation  algorithm  for  a  single 
secure  execution.  In  Section  2.3  we  will  show  how  to  extend  this  framework  to  support  any  poly¬ 
nomial  number  of  secure  executions.  We  note  that  the  high-level  structure  of  the  compilation  and 
evaluation  algorithm  builds  on  the  construction  of  [GR10] .  The  building  blocks,  however,  are  very 
different,  as  the  subsidiary  cryptosystem  is  now  LROTP,  and  we  now  longer  use  secure  hardware. 

The  input  to  the  compiler  is  a  secret  input  y  £  {0,  l}n,  and  a  public  circuit  C  of  size  poly{n)  that 
is  known  the  adversary.  The  circuit  takes  as  inputs  the  secret  y,  and  also  public  input  x  £  {0,  l}n 
(which  may  be  chosen  by  the  adversary),  and  produces  a  single  bit  output.  One  can  think  of  C 
as  a  universal  circuit,  where  y  describes  a  particular  algorithm  that  is  to  be  protected.  Or,  C  can 
be  a  public  cryptographic  algorithm  (say  for  producing  digital  signatures),  and  y  is  a  secret  key. 

The  output  of  the  compiler  on  C  and  y  is  a  probabilistic  stateful  evaluation  algorithm  Eval 
(with  a  state  which  will  be  updated  during  each  run  of  Eval),  such  that  for  all  x  £  {0,  l}n, 
C(y,x )  =  Eval(y,x).  The  compiler  is  run  exactly  once  at  the  beginning  of  time  and  is  not  subject 
to  leakage.  See  Section  3.4  for  a  formal  definition  of  utility  and  security  under  leakage.  In  this 
section,  we  describe  an  initialization  of  Eval  that  suffices  for  a  single  secure  execution  on  any 
adversarially  chosen  input. 

Without  loss  of  generality,  the  circuit  C  is  composed  of  NAND  gates  with  fan-in  2  and  fan-out 
1,  and  duplication  gates  with  fan-in  1  and  fan-out  2.  We  assume  a  lexicographic  ordering  on  the 
circuit  wires,  s.t.  if  wire  k  is  the  output  wire  of  gate  g  then  for  any  input  wire  i  of  the  same  gate, 
i  <  k.  The  Eval  algorithm  keeps  track  of  the  value  Vi  £  {0, 1}  on  each  wire  i  of  the  original  input 
circuit  C(y,x)  in  a  secret-shared  form:  Vi  =  ai  ©  bi,  where  a*,  bi  £  {0,1}.  The  invariant  for  every 
wire  is  that  the  a*  shares  are  public  and  known  to  all,  including  the  leakage  adversary,  whereas  bi 
are  private:  they  are  kept  encrypted  by  a  LROTP  ciphertext (s)  encrypted  under  kepi-  There  is  one 
key  for  each  circuit  wire  i.  For  each  input  wire  i ,  there  is  a  single  ciphertext  c}n.  For  the  output 
wire  output,  there  is  a  single  ciphertext  output-  For  each  internal  wire  i,  an  output  wire  for  gate  g 
and  an  input  wire  for  gate  h,  there  are  two  ciphertexts  c?ut  and  c)n  (both  with  the  same  underlying 
plaintext  bi  and  the  same  key  kepi).  Intuitively,  c?ut  is  used  in  a  computation  corresponding  to 
gate  g  (for  which  i  is  an  output  wire),  and  c)n  is  used  in  a  computation  corresponding  to  gate  h 
(for  which  i  is  an  input  wire). 

We  emphasize  that  the  adversary  does  not  actually  ever  see  any  key  or  ciphertext  -  let  alone  the 
underlying  plaintext  -  in  their  entirely.  Rather,  the  adversary  only  sees  the  result  of  bounded-length 
leakage  functions  that  operate  separately  on  these  keys  and  ciphertexts. 

Initialization  for  One-Time  Evaluation.  To  initialize  Eval  for  a  single  secure  execution,  we 
generate  keys  and  ciphertexts  for  the  output  wires,  the  internal  wires,  and  the  y-input  wires  (ini¬ 
tialization  is  performed  without  leakage).  This  is  done  as  follows.  For  each  bit  y[j]  of  the  y-input 
that  is  carried  on  a  wire  i,  we  generate  a  key-ciphertext  pair  (/cey^cf1)  with  underlying  plaintext 

4We  restrict  our  attention  to  single  bit  output,  the  case  of  multi-bit  outputs  also  follows  using  the  same  ideas. 
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y[j].  The  input  wire’s  bit  value  Vi  is  thus  encoded  by  at  =  0  and  bi  =  y[j).  For  each  internal  wire 
i,  we  choose  bi  uniformly  at  random,  and  we  generate  a  key  keyi  and  two  ciphertexts  cfut  and  cf1 
that  both  have  underlying  plaintext  bi  (under  the  key  keyi).  The  internal  wire’s  bit  value  Vi  will  be 
encoded  by  bi  {0, 1}  and  a*  =  6*  ©  Vi  (which  we  have  not  yet  computed).  For  the  output  wire 
output,  we  generate  (key  output,  c™ftput)  with  underlying  plaintext  0.  The  output  bit  will  be  encoded 
by  b output  =  0,  and  aoutput ,  the  public  share,  that  will  equal  the  output  value  C(y,x).  The  output 
wire’s  public  share  aoutput  will  be  computed  during  evaluation  once  the  input  x  is  specified. 

This  initialization  suffices  for  a  single  execution  (see  below).  Looking  ahead,  the  main  challenge 
for  multiple  execution  will  be  securely  generating  the  keys  ciphertexts  for  each  wire  even  in  the 
presence  of  OC  leakage.  See  Section  2.3. 

Eval  on  input  x.  When  a  (non  secret)  input  x  is  selected  for  Eval,  we  generate  ciphertexts  for 
the  x-input  wires.  This  determines  the  private  shares  (independently  of  the  input  x),  and  sets 
the  stage  for  computing  the  public  shares — culminating  with  the  computation  of  the  output  wire’s 
public  share,  which  equals  the  circuit’s  output. 

We  proceed  as  follows.  Each  bit  x\j\  of  the  x-input  that  is  carried  on  wire  i,  is  encoded  by 
at  =  x[j]  and  bi  =  0,  where  bi  is  the  underlying  plaintext  for  randomly  chosen  (keyi,  cf1).  Given 
these  keys  and  ciphertexts  for  the  x  input,  and  those  generated  in  the  initialization,  we  now  have, 
for  each  circuit  wire  i,  a  key  and  (one  or  two)  ciphertexts  whose  underlying  plaintext (s)  equal  bi. 
We  also  have,  for  each  circuit  input  wire  i,  a  public  share  a*. 

Eval  proceeds  to  compute  the  public  shares  of  the  internal  and  output  wires  one  by  one,  using  a 
safe  homomorphic  computation  procedure  discussed  below.  The  output  is  the  public  share  a°0fftput  = 
C(y,x).  Throughout  the  computation,  all  the  private  bi  shares  are  protected  from  the  leakage 
adversary.  Each  internal  bi  looks  “uniformly  random”  to  the  adversary,  even  under  leakage.  Thus, 
the  public  shares  a*  of  the  internal  wires  reveal  nothing  about  the  actual  values  Vi  on  those  wires. 
All  the  adversary  “sees”  are  the  input  x  and  the  output  a0  =  C(y,  x).  The  main  remaining  challenge 
is  evaluating  the  public  shares  without  exposing  the  private  shares. 

Challenge  I:  Leakage-Resilient  “Safe  NAND”  Computation.  We  seek  a  procedure  that,  for 
a  NAND  gate  takes  as  input  the  public  shares  for  the  gates’s  input  wires,  and  the  encrypted  private 
shares  for  the  gate’s  input  wires  and  output  wire.  The  output  should  be  the  correct  public  share 
of  the  gate’s  output  wire.  For  security,  we  require  that  even  under  leakage,  this  procedure  exposes 
nothing  about  the  private  shares  of  the  gate’s  input  wires  and  output  wire  (beyond  the  value  of  the 
output  wire’s  public  share).  We  also  need  a  similar  procedure  for  aforementioned  duplication  gates, 
but  we  focus  here  on  the  more  challenging  case  of  NAND.  We  give  an  overview  of  this  procedure, 
which  we  call  SafeNAND ,  in  Section  2.2.1. 

2.2.1  Leakage  Resilient  SafeNAND 

For  a  NAND  gate  with  input  wires  i,j  and  output  wire  k,  the  input  to  SafeNAND  is  public  shares 
ai,aj  €  {0,1},  and  ciphertext-key  pairs  (keyi,cffl,keyj,Cjl,keyk,c^ut).  We  use  bi,bj,bk  €  {0,1}  to 
denote  (respectively)  the  plaintext  bits  underlying  these  key-ciphertext  pairs.  The  goal  is  to  output 

ak  =  ((©  ©  bi)  NAND  ( aj  ©  bj ))  ©  bk 

moreover,  we  want  to  do  this  using  a  procedure  that,  even  under  leakage,  exposes  nothing  about 
(bi,  bj,  bk)  beyond  the  output  ak.  We  proceed  with  an  overview,  see  Section  6  for  details. 
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As  a  starting  point,  we  first  choose  a  fresh  new  key  KeyGen (1K),  and  compute  c(,  c'-,  c'k  whose 
underlying  plaintexts  under  this  new  key  remain  bi ,  bj ,  b k .  This  uses  the  key  refresh  property  of 
the  LROTP  scheme.  Once  the  ciphertexts  are  all  encrypted  under  the  same  key,  we  can  use  the 
homomorphic  addition  properties  of  LROTP.  Starting  with  an  idea  of  Sanders  Young  and  Yung 
[SYY99],  we  can  compute  NAND  by  first  computing  a  4-tuple  of  encryptions: 

C  (cfc)  ((°Y  0, . . . ,  0)  ©  o'  ©  c4),  ((aj,  0, . . . ,  0)  ©  c?j  ©  <4),  ((1  ©  (H  ©  aj,  0, . . . ,  0)  ©  o'  ©  cfj  ©  4)) 

Note  the  plaintexts  underlying  the  4  ciphertexts  in  C  are: 

(bk,  (a*  ©  bi  ©  bk),  {p,j  ffi  bj  ©  b &),  (1  ©  aj  ©  bi  ©  aj  ©  bj  ©  bk)) 

and  that  if  ak  =  0,  then  3  of  these  plaintexts  will  be  1,  and  one  will  be  0,  whereas  if  aj~  =  1,  then 
3  of  the  plaintexts  will  be  0  and  one  will  be  1. 

The  first  idea  may  be  to  simply  decrypt  C  (using  key),  and  compute  based  on  the  number 
of  0’s  and  l’s  plaintext  underlying  C.  We  cannot  do  this,  however,  since  the  locations  of  0’s  and  l’s 
might  reveal  (via  the  adversary’s  leakage)  information  about  (bi,  bj,  bk)  beyond  just  the  value  of  ak- 
A  natural  idea,  then,  is  to  permute  the  ciphertexts  before  decrypting.  This,  indeed,  is  what  was 
suggested  by  [SYY99].  Our  problem,  however,  is  that  any  permutation  we  use  might  leak.  What 
we  seek,  then,  is  a  method  for  randomly  permuting  the  ciphertexts  even  under  leakage. 

Permute:  Securely  Permuting  under  Leakage.  The  leakage-resilient  permutation  procedure 
Permute  that  takes  as  input  key  and  a  4-tuple  C,  consisting  of  4  ciphertexts.  Permute  makes  4 
copies  of  key,  and  then  proceeds  in  iterations.  The  input  to  each  iteration  is  two  4-tuples  of  keys 
and  ciphertexts.  The  output  from  each  iteration  is  a  4-tuple  of  keys  and  corresponding  ciphertexts, 
whose  underlying  plaintexts  are  some  permutation  of  those  in  that  iteration’s  input.  The  key 
property  is  that  the  permutation  chosen  in  each  iteration  will  look  “fairly  random”  even  to  a 
leakage  adversary.  As  a  result,  the  composition  of  these  permutations  over  many  iterations  will 
look  (statistically  close  to)  uniformly  random.  The  “fairly  random”  property  of  each  iteration  is 
achieved  by  a  “duplicate  and  permute”  step: 

1.  creating  many  copies  of  the  input  key  and  ciphertext  4-tuples 

2.  refreshing  each  tuple-copy  using  key-ciphertext  refresh  as  in  Section  2.1  (each  refresh  uses 
independent  randomness) 

3.  permutating  each  tuple-copy  using  an  independently  chosen  uniformly  random  permutation 

Given  (length-bounded)  leakage  from  the  above  “duplicate-and-permute”  step  of  each  iteration, 
most  of  the  permutations  chosen  will  look  “fairly  uniform”.  Finally,  after  the  leakage  from  each 
iteration’s  duplicate-and-permute  step  has  occurred,  one  of  the  tuple-copies  is  chosen.  We  will  show 
that  the  permutation  used  for  this  tuple-copy  will  (w.h.p.)  look  “fairly  random”,  even  given  the 
leakage.  The  tuple-copy  chosen  in  each  iteration  is  then  fed  as  input  to  the  next  iteration. 

The  Permute  procedure  does  this  for  t  iterations.  We  show  that  the  composition  of  all  permu¬ 
tations  used  is  exp(— n(£))-statistically  close  to  uniformly  random,  even  given  the  leakage  from  all 
l  iterations  of  Permute.  This  is  the  high-level  intuition  for  the  security  of  Permute  and  SafeNAND 
(omitting  many  non-trivial  details). 
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2.3  Leakage-Resilient  Compiler  Overview:  Multiple  Secure  Evaluations 

In  this  section  we  modify  the  Init  and  Eval  procedures  described  in  Section  2.2  to  support  any 
polynomial  number  of  secure  evaluations.  The  main  challenge  is  generating  secure  key-ciphertext 
pairs  for  the  output  and  the  y-input  wires. 

Challenge  II:  Ciphertext  Generation  under  Continual  Leakage.  We  seek  a  procedure  for 
repeatedly  producing  ( key Cj)  pairs.  For  each  y-input  wire  i  corresponding  to  the  j- th  bit  of  y,  the 
underlying  plaintext  should  be  y[j].  For  the  output  wire  output,  the  underlying  plaintext  should 
0.  We  also  seek  a  procedure  for  repeatedly  producing  keyi  and  a  pair  of  ciphertexts  (c?ut,  cf  )  that 
both  have  the  same  independently  random  underlying  plaintext  b{  G#  {0, 1}.  For  security,  the 
underlying  plaintexts  of  the  keys  and  ciphertexts  produced  should  be  completely  protected  even 
under  (repeated)  leakage  in  all  the  generations. 

In  previous  works  such  as  [FRR+10,  JV10,  GR10],  similar  challenges  were  (roughly  speaking) 
overcome  using  secure  hardware  to  generate  “fresh”  encodings  of  leakage-resilient  plaintexts  from 
scratch  in  each  execution. 

We  generate  key-ciphertext  pairs  using  ciphertext  banks.  We  begin  by  describing  this  new  tool 
and  how  it  is  for  repeated  secure  generations  with  a  fixed  underlying  plaintext  bit.  This  is  what 
is  needed  for  the  y-input  and  the  output  wire.  We  then  describe  how  a  ciphertext  bank  is  used  to 
generate  a  sequence  of  keys  and  pairs  of  ciphertexts  (with  uniformly  random  underlying  plaintexts) 
for  the  internal  wires. 

A  ciphertext  bank  is  initialized  once  using  a  Banklnit(b)  procedure,  where  b  is  either  0  or  1  (there 
is  no  leakage  during  initialization).  It  can  then  be  used,  via  a  BankGen  procedure,  to  repeatedly 
generate  key-ciphertext  pairs  with  underlying  plaintext  bit  b,  for  an  unbounded  polynomial  number 
of  generations.  A  BankUpdate  procedure  is  used  between  generations  to  inject  entropy  into  the 
ciphertext  bank.  The  intuition  behind  the  ciphertext  bank  security  requirement  is  that,  even 
under  leakage  from  the  repeated  generations,  the  plaintext  underlying  each  key-ciphertext  pair 
is  protected.  In  particular,  there  are  efficient  simulation  procedures  that  have  arbitrary  control 
over  the  plaintexts  underlying  the  key-ciphertext  pairs  that  the  bank  produces/  Leakage  from  the 
simulated  calls  is  statistically  close  to  leakage  from  the  “real”  ciphertext  bank  calls.  We  outline 
these  procedures  in  Section  2.3.1  below.  See  Section  5  for  details. 

Using  ciphertext  banks,  we  modify  the  initialization  and  evaluation  outlined  in  Section  2.2. 
In  initialization,  for  each  y-input  bit  y\j\ ,  carried  on  wire  i,  we  initialize  a  ciphertext  bank  for 
repeatedly  generating  key-ciphertext  pairs  with  underlying  plaintext  y[j] .  For  the  output  wire  we 
initialize  a  ciphertext  bank  for  repeatedly  generating  key-ciphertext  pairs  with  underlying  plaintext 
0.  In  Eval,  we  add  an  initial  step  where  the  ciphertext  banks  of  each  y-input  wire  and  of  the  output 
wire  are  used  to  securely  generate  a  key-ciphertext  pair  for  that  wire.  After  this  first  step,  given 
an  input  x,  Eval  proceeds  as  outlined  in  Section  2.2. 

Finally,  to  generate  a  sequence  of  keys  and  pairs  of  ciphertexts  for  the  internal  wires,  we  also 
provide  a  BankRedraw  procedure.  This  procedure  re-draws  a  new,  uniformly  and  independently 
random  plaintext  bit,  that  will  underly  the  key-ciphertext  pairs  produced  by  the  bank.  To  generate 
a  key  and  a  pair  of  ciphertext  with  the  same  underlying  plaintext  we  simply  call  BankGen  twice: 
the  key  produced  in  both  calls  will  be  the  same,  but  the  ciphertexts  produced  will  be  different 
(albeit  with  the  same  underlying  plaintext).  After  this  pair  of  generations,  we  call  BankRedraw  to 
re-draw  the  underlying  plaintext  bit  and  then  BankUpdate  to  inject  new  entropy.  We  note  that  it 
is  the  call  to  BankUpdate  that  changes  the  key  that  will  be  produced  in  future  BankGen  calls.  For 
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security,  we  provide  efficient  simulation  procedures  that  have  arbitrary  control  over  the  plaintext 
bits  underlying  the  key-ciphertext  pairs  that  are  produced.  As  above,  leakage  from  simulated  calls 
is  statistically  close  to  leakage  form  the  “real”  calls.  See  the  overview  below  in  Section  2.3.1,  and 
Section  5  for  further  details. 

We  now  can  now  repeatedly  generate  keys  and  ciphertext-pairs  for  internal  wires  even  under 
leakage.  For  this,  we  further  modify  the  initialization  and  evaluation  outlined  in  Section  2.2.  In 
initialization,  we  initialize  a  (single)  additional  ciphertext  bank  for  the  internal  wires.  This  bank 
is  initialized  to  generated  key-ciphertext  pairs  with  a  uniformly  random  underlying  plaintext  bit. 
In  Eval,  for  each  internal  wire  we  use  two  BankGen  calls  to  this  bank  to  generate  a  key  and 
two  ciphertexts.  After  each  two  such  calls  we  use  BankRedraw  and  BankUpdate  to  re-draw  the 
underlying  plaintext  bit  for  the  next  wire  and  to  inject  new  entropy. 

This  completes  the  high-level  description  of  our  Init  and  Eval  procedures,  the  full  procedures 
are  in  Section  7. 

2.3.1  Ciphertext  Banks  for  Secure  Generation 

The  ciphertext  bank  state  consists  of  an  LROTP  key ,  and  a  collection  C  of  2k  ciphertexts.  We 
view  C  as  a  k  x  2k  matrix,  whose  columns  are  the  ciphertexts.  In  the  Banklnit  procedure,  on  input 
b,  key  is  drawn  uniformly  at  random,  and  the  columns  of  C  are  drawn  uniformly  at  random  s.t 
the  plaintext  underlying  each  column  equals  b.  This  invariant  will  be  maintained  throughout  the 
ciphertext  bank’s  operation,  and  we  call  b  the  bank’s  underlying  plaintext  bit. 

The  BankGen  procedure  outputs  key  and  a  linear  combination  of  C’s  columns.  The  linear 
combination  is  chosen  uniformly  at  random  s.t.  it  has  parity  1.  This  guarantees  that  it  will  yield 
a  ciphertext  whose  underlying  plaintext  is  b. 

The  BankUpdate  procedure  injects  new  entropy  into  key  and  into  C:  we  refresh  the  key  using 
the  LROTP  key  refresh  property,  and  we  refresh  C  by  multiplying  it  with  a  random  2k  x  2k  matrix 
whose  columns  all  have  parity  1.  These  refresh  operations  are  performed  under  leakage. 

The  BankRedraw  procedure  chooses  a  uniformly  random  ciphertext  v  €  {0, 1}K,  and  adds  it  to 
all  the  columns  of  C .  If  the  inner  product  of  key  and  v  is  0  (happens  w.p.  1/2),  then  the  bank’s 
underlying  plaintext  bit  is  unchanged.  If  the  inner  product  is  1  (also  w.p.  1/2),  then  the  bank’s 
underlying  plaintext  bit  is  flipped. 

For  security,  we  provide  a  simulation  procedure  SimBankGen  that  can  arbitrarily  control  the 
value  of  the  plaintext  bit  underlying  the  key-ciphertext  pair  it  generates.  Here  we  maintain  a 
simulated  ciphertext  bank,  consisting  of  a  key  and  a  matrix,  similarly  to  the  real  ciphertext  bank. 
These  are  initialized,  without  leakage,  using  a  SimBanklnit  procedure  that  draws  key  and  the 
columns  of  C  uniformly  at  random  from  {0, 1}K.  Note  that  here,  unlike  in  the  real  ciphertext  bank, 
the  plaintexts  underlying  C’s  columns  are  uniformly  random  bits  (rather  than  a  single  plaintext 
bit  b).  The  operation  of  SimBankGen  is  similar  to  BankGen ,  except  that  it  uses  a  biased  linear 
combination  of  C' s  columns  to  control  the  underlying  plaintext  it  produces. 

The  main  technical  challenge  and  contribution  here  is  showing  that  leakage  from  the  real  and 
simulated  calls  is  statistically  close.  Note  that,  even  for  a  single  generation,  this  is  non-obvious.  As 
an  (important)  example,  consider  the  rank  of  the  matrix  C :  in  the  real  view  (say  for  6  =  0),  C’s 
columns  are  all  orthogonal  to  key,  and  the  rank  is  at  most  k  —  1.  In  the  simulated  view,  however, 
the  rank  will  be  k  (w.h.p).  If  the  matrix  C  was  loaded  into  memory  in  its  entirety,  then  the  real  and 
simulated  views  would  be  distinguishable!  Observe,  however,  that  if  only  “sketches”  (or  “pieces”) 
of  C  are  loaded  into  memory  at  any  one  time,  where  each  “sketch”  (or  “piece”)  is  a  collection  of 
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(c  •  k)  linear  combinations  of  C s  columns  (for  a  small  0  <  c  <  1),  then  it  is  no  longer  clear  how 
a  leakage  adversary  can  compute  Cs  rank  or  distinguish  a  real  and  simulated  generation  (even  if 
the  adversary  knows  the  coefficients  of  the  linear  combinations  of  C s  columns). 

We  show  that:  (i)  sketches  of  random  matrices  are  leakage  resilient ,  and  in  particular  leak¬ 
age  from  sketches  of  C  is  statistically  close  in  the  real  and  simulated  distributions,  and  (ii)  how 
to  implement  BankGen  and  SimBankGen  using  subcomputations,  where  each  sub-computation 
only  loads  a  single  “sketch”  of  C  into  memory.  This  implies  security  for  a  single  generation  (or 
a  bounded  number).  We  then  extend  our  leakage-resilience  results  to  show  security  for  an  un¬ 
bounded  (polynomial)  number  of  generations.  We  view  these  roofs  as  our  most  important  technical 
contribution. 

2.4  Organization  and  Roadmap 

Definitions,  notation  and  preliminaries  are  in  Section  3.  This  includes  the  definitions  of  secure 
compilers  against  leakage  and  of  independence  up  to  orthogonality,  a  central  notion  in  many  of  our 
technical  proofs.  That  section  also  includes  lemmas  about  entropy,  multi-source  extractors,  and 
leakage-resilience  that  will  be  used  in  the  subsequent  sections. 

We  then  proceed  with  a  full  description  of  our  construction.  In  Section  4  we  specify  the  leakage- 
resilient  one  time  pad  scheme  and  its  properties.  We  present  the  ciphertext  bank  procedures,  used 
for  secure  generation  of  secure  ciphertexts  under  leakage,  in  Section  5.  The  SafeNAND  procedure 
for  securely  computing  NAND  gates  on  encrypted  inputs  is  in  Section  6.  These  ingredients  are  put 
together  in  Section  7,  where  we  present  the  main  construction  and  a  proof  (sketch)  of  its  security. 

3  Definitions  and  Preliminaries 

In  this  section  we  define  leakage  and  multi-source  leakage  attacks  (Section  3.1)  and  give  a  brief  ex¬ 
position  about  entropy,  multi-source  extractors,  and  facts  about  them  that  will  be  used  throughout 
this  work  (Section  3.2).  We  then  define  and  discuss  the  notion  of  independence  up  to  orthogonality 
(Section  3.3). 

Preliminaries.  For  a  string  x  €  X*  (where  X  is  some  finite  alphabet)  we  denote  by  |x|  the  length 
of  the  string,  and  by  Xi  or  x[i\  the  i’th  symbol  in  the  string.  For  a  finite  set  S  we  denote  by  y  S 
that  y  drawn  uniformly  at  random  from  S.  We  use  A (D,  F )  to  denote  the  statistical  (L i)  distance 
between  distributions  D  and  F.  For  a  distribution  D  over  a  finite  set,  we  use  x~Dto  denote  the 
experiment  of  sampling  x  by  D,  and  we  use  D[x]  to  denote  the  probability  of  item  x  by  distribution 
D.  For  random  variables  X  and  Y,  we  use  (X\Y  =  y)  or  (X\y)  to  denote  the  distribution  of  X, 
conditioned  on  Y  taking  value  y. 

3.1  Leakage  Model 

We  follow  the  model  and  notation  used  in  [GR10]. 

Leakage  Attack.  A  leakage  attack  is  launched  on  an  algorithm  or  on  a  data  string.  In  the  case  of 
a  data  string  x,  an  adversary  can  request  to  see  any  function  £(x)  whose  output  length  is  bounded 
by  A  bits.  In  the  case  of  an  algorithm,  the  algorithm  is  divided  into  ordered  sub-computations.  The 
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adversary  can  request  to  see  a  bounded-length  (A  bit)  function  of  each  sub-computation’s  input 
and  randomness.  The  leakage  functions  are  computed  separately  on  each  sub-computation,  in  the 
order  in  which  the  sub-computations  occur,  and  can  be  chosen  adaptively  by  the  adversary. 

Remark  3.1.  Throughout  this  work  we  focus  on  computationally  unbounded  adversaries.  In  par¬ 
ticular,  we  do  not  restrict  the  computational  complexity  of  the  leakage  functions.  Moreover,  without 
loss  of  generality,  we  consider  only  deterministic  adversaries  and  leakage  functions. 

Definition  3.2  (Leakage  Attack  Aa(x)[s]).  Let  s  be  a  source:  either  a  data  string  or  a  computation. 
We  model  a  A-bit  leakage  attack  of  adversary  A  with  input  x  on  the  source  s  as  follows. 

If  s  is  a  computation  (viewed  as  a  boolean  circuit  with  a  fixed  input),  it  is  divided  into  m 
disjoint  and  ordered  sub-computations  sub\, . . . ,  subm,  where  the  input  to  sub-computation  subi 
should  depend  only  on  the  output  of  earlier  sub-computations.  A  A-bit  Leakage  Attack  on  s  is 
one  in  which  A  can  adaptively  choose  functions  where  t{  takes  as  input  the  input  to 

sub-computation  i  and  any  randomness  used  in  that  sub-computation.  Each  t j  has  output  length 
at  most  A  bits.  For  each  (in  order),  the  adversary  receives  the  output  of  on  sub-computation 
subf  s  input  and  randomness,  and  then  chooses  Ijt+\ .  The  view  of  the  adversary  in  the  attack 
consists  of  the  outputs  to  all  the  leakage  functions. 

In  the  case  that  s  is  a  data  string,  we  treat  it  as  a  single  subcomputation. 

Multi-Source  Leakage  Attacks.  A  multi-source  leakage  attack  is  one  in  which  the  adversary 
gets  to  launch  concurrent  leakage  attacks  on  several  sources.  Each  source  is  an  algorithm  or  a 
data  string.  We  consider  both  ordered  sources,  where  an  order  is  imposed  on  the  adversary’s  access 
to  the  sources,  and  concurrent  sources,  where  the  leakage  the  leakages  from  each  source  can  be 
interleaved  arbitrarily.  In  both  case,  each  leakage  is  computed  as  a  function  of  a  single  source  only. 

Ordered  Multi-Source  Leakage.  An  ordered  multi-source  leakage  attack  is  one  in  which  the 
adversary  gets  to  launch  a  leakage  attack  on  multiple  sources,  where  again  each  source  is  an 
algorithm  or  a  data  string.  The  attacks  must  occur  in  a  specified  order. 

Definition  3.3  (Ordered  Multi-Source  Leakage  Attack  A(x){s^1 , . . . ,  s^}).  Let  si, . . . ,  Sk  be  leak¬ 
age  sources  (algorithms  or  data  strings,  as  in  Definition  3.2).  We  model  an  ordered  multi-source 
leakage  attack  on  {si, . . . ,  Sk}  as  follows.  The  adversary  A  with  input  x  runs  k  separate  leakage 
attacks,  one  attack  on  each  source.  When  attacking  source  Si,  the  adversary  can  request  A i  bits  of 
leakage.  The  attacks  on  sources  si, . . . ,  are  run  sequentially  and  in  order,  i.e.  once  the  adversary 
requests  leakage  from  Sj,  it  cannot  get  any  more  leakage  from  Sj  for  i  <  j. 

For  convenience,  we  drop  the  superscript  when  the  source  is  exposed  in  its  entirety  (i.e.  A i  = 
|si|).  So  A(.x){s^1,  £2}  is  an  attack  where  the  adversary  can  request  Ai  bits  of  leakage  on  si,  and 
then  sees  S2  in  its  entirety.  Finally,  when  the  leakage  bound  on  all  k  sources  is  identical  we  use  a 
“global”  leakage  bound  A  and  denote  this  by  Aa(x){si,  . . . ,  Sk}. 

Concurrent  Multi-Source  Leakage.  A  concurrent  leakage  attack  on  multiple  sources  is  one  in 
which  the  adversary  can  interleave  the  leakages  from  each  of  the  sources  arbitrarily.  Each  leakage  is 
still  a  function  of  a  single  source  though.  We  allow  additional  flexibility  by  considering  concurrent 
sources  and  ordered  sources  as  above.  Leakage  from  the  ordered  sources  must  obey  the  ordering, 
and  the  leakage  from  the  concurrent  sources  can  be  arbitrarily  interleaved  with  the  leakage  from 
the  ordered  sources. 
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Definition  3.4  (Multi-Source  Leakage  Attack  ^(x)^*1, . . . ,  •s^fc]{xf1 , . . . ,  rim}).  Let  si,...,Sk  and 
r\, ...  ,rm.  be  k  +  m  leakage  sources  (algorithms  or  data  strings,  as  in  Definition  3.2).  We  model 
a  concurrent  multi-source  leakage  attack  on  [si, . . . ,  Sfc]{ri, . . . ,  rm}  as  follows.  The  adversary  runs 
k  +  m  leakage  attacks,  one  on  each  source.  The  attacks  on  each  source,  st  or  r3 ,  for  a  \  or  A) -bit 
leakage  attack  as  in  Definition  3.2.  We  emphasize  that  each  A-bit  attack  on  a  single  source  consists 
of  A  adaptive  choices  of  1-bit  leakage  functions.  Between  different  sources,  the  leakages  can  be 
interleaved  arbitrarily  and  adaptively,  except  for  each  j  and  j'  such  that  j  <  j' ,  no  leakage  from  rj 
can  occur  after  any  leakage  from  ry.  There  are  no  restrictions  on  the  interleaving  of  leakages  from 
Si  sources. 

It  is  important  that  each  leakage  function  is  computed  as  a  function  of  a  single  sub-computation 
in  a  single  source  (i.e.  the  leakages  are  never  a  function  of  the  internal  state  of  multiple  sources).  It 
is  also  important  that  the  attacks  launched  by  the  adversary  are  concurrent  and  adaptive,  and  their 
interleaving  is  controlled  by  the  adversary.  For  example,  A  can  request  a  leakage  function  from 
a  sub-computation  of  source  st  before  deciding  which  source  to  attack  next,  then  after  attacking 
several  other  sources,  it  can  go  back  to  source  i  and  request  a  new  adaptively  chosen  leakage  attack 
on  its  next  sub-computation. 

As  in  Definition  3.3,  we  drop  the  superscript  if  a  source  s  exposed  in  its  entirety.5  When  the 
leakage  from  all  sources  is  of  the  same  length  A,  we  append  the  superscript  to  the  adversary  and 
drop  it  from  the  sources.  If  there  are  no  ordered  sources  then  we  drop  the  curly  braces. 

3.2  Extractors,  Entropy,  and  Leakage-Resilient  Subspaces 

In  this  section  we  define  notions  of  min-entropy  and  two-source  extractors  that  will  be  used  in 
this  work.  We  will  then  present  the  inner-product  two-source  extractor.  Finally,  we  will  state  two 
lemmas  that  will  be  used  in  our  proof  of  security:  a  lemma  of  [DRS04]  about  the  connection  between 
leakage  and  min-entropy,  and  a  lemma  of  Brakerski  et  al.  regarding  leakage-resilient  subspaces. 

Definition  3.5  (Min-Entropy) .  For  a  distribution  D  over  a  domain  X,  its  min-entropy  is: 

Hoo{D)  =  min  log  Pr  [y  =  x] 
xGX  y~D 

Definition  3.6  ((n,  m,  k,  e)-two  source  strong  extractor).  A  function  Ext  :  {0,  l}n  x  {0,1}^ 

{0,  l}m  is  a  (n,  m,  k,  e)-2-source  extractor  is  for  every  two  distributions  X  and  Y  over  {0,  l}n  such 
that  Hoo^X),  E[00(X)  >  k  it  is  the  case  that: 

Pr  [A (Ext(X,y),Um)  >  e]  <  e 

Pr  [A (Ext(x,Y),  Um)  >  e]  <  e 

x~X 

Chor  and  Goldreich  [CG88]  showed  that  the  inner-product  function  over  any  field  is  a  two- 
source  extractor.  See  also  the  excellent  exposition  of  Rao  [Rao07].  The  claims  made  in  those  works 
imply  the  lemma  below  (they  make  more  general  statements). 

5we  use  this  only  for  the  ordered  sources,  concurrent  sources  exposed  in  their  entirety  are  w.l.o.g.  given  to  the 
adversary  as  part  of  its  input. 
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Lemma  3.7  (Inner-Product  Extractor  [CG88]).  For  k  £  N  and  x,  y  £  QF[2]K  define 

Ext(x,  y)  =  (x,  y) 

For  any  k£N,  the  function  Ext(x,y )  is  a  (k,  1,0.51k,  2 ~n^)-two  source  strong  extractor. 

Finally,  we  will  use  the  fact  that  bounded-length  multi-source  (or  rather  two-source)  leakage 
attacks  on  high-entropy  sources  X  and  Y .  leave  an  adversary  with  a  view  that  is  statistically  close 
to  one  in  which  each  of  the  sources  comes  from  a  high-entropy  distribution.  This  follows  from  a 
result  of  Dodis  et  al.  [DRS04], 

Lemma  3.8  (Residual  Entropy  after  Leakage  [DRS04]).  Let  X  and  Y  be  two  sources  with  min- 
entropy  at  least  k.  Then  for  any  leakage  adversary  A,  taking  iv  =  Ax[X,  Y],  consider  the  conditional 
distributions  X'  =  (X\w)  and  Y'  =  {Y \w),  which  are  just  X  and  Y  conditioned  on  leakage  w.  For 
any  5  >  0,  with  probability  at  least  1  —  5  over  the  choice  of  w,  H00(X'),  H^fY')  >  k  —  A  —  log(l/5). 

3.3  Independence  up  to  Orthogonality 

Definition  3.9  (Independent  up  to  Orthogonality  (IuO)  Distribution  on  Vectors).  Let  V  be  a 
distribution  over  pairs  (x,y)  £  {0, 1}K  x  {0, 1}K.  We  say  that  V  is  IuO  w.r.t.  v  £  {0, 1}K  and 
b  €  {0, 1},  if  there  exist  distributions  X  and  y ,  both  over  {0, 1}K,  s.t.  V  is  obtained  by  sampling 
x  ~  X  and  then  sampling  y  ~  V,  conditioned  on  (x  +  v,  y)  =  b.  We  call  X  and  y  the  underlying 
distributions  ofD ,  and  denote  this  by  V  =  X  y. 

When  v  =  0  we  will  sometimes  simply  say  that  T>  is  IuO  with  orthogonality  b,  and  denote  this 

by  v  =  x±by. 

We  also  consider  the  independently  drawn  variant  of  V  which  is  obtained  by  independently 
sampling  x  ~  X  and  y  ~  Y.  We  denote  the  independently  drawn  variant  by  T>x  or  X  x  y. 

Definition  3.10  (Independent  up  to  Orthogonality  (IuO)  Distribution  on  Matrices).  Generalizing 
Definition  3.10,  for  an  integer  m  >  1,  let  V  be  a  distribution  over  pairs  (V,  Y)  €  {0,  l}mXK  x 
{0,  l}mXK.  We  say  that  V  is  IuO  w.r.t.  V  €  {0,  l}mXK  and  b  £  {0,  l}m  if  there  exist  distributions 
X  and  y ,  both  over  {0,  l}mXKg  s.t.  T>  is  obtained  by  sampling  X  ~  X  and  then  (independently) 
sampling  Y  ~  y  conditioned  on  Vi  £  [m],  {X[i\  +  V[z],  Y\i])  =  b[i].  As  in  Definition  3.10,  we  call  X 
and  y  the  underlying  distributions  ofV,  and  denote  this  by  V  =  X  y. 

When  V  is  the  all-zeros  matrix,  we  will  sometimes  simply  say  that  V  is  IuO  with  orthogonality 
6,  and  denote  this  by  V  =  X  1?  y. 

We  also  consider  the  independently  drawn  variant  of  V  which  is  obtained  by  independently 
sampling  X  ~  X  and  Y  ~  Y .  We  denote  the  independently  drawn  variant  by  Vx  or  X  x  y. 

Finally,  for  a  distribution  V  over  pairs  (x,  Y)  £  {0, 1}K  x  {0,  l}mK,  we  say  that  V  is  IuO  (with 
parameters  as  above),  if  T>',  in  which  we  replace  x  with  a  matrix  X  whose  columns  are  m  (identical) 
copies  of  x  is  IuO  (as  above).  We  emphasize  that  the  copies  of  x  are  all  identical  and  completely 
dependant. 

One  important  property  of  IuO  distributions,  which  we  will  use  repeatedly,  is  that  they  are 
indistinguishable  from  their  independently  drawn  variant  under  multi-source  leakage  (as  long  as 
they  have  sufficient  entropy). 
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Lemma  3.11.  Let  V  be  an  IuO  distribution  over  pairs  {X,Y)  €  Sx  x  Sy,  with  underlying  dis¬ 
tributions  X  and  y.  Suppose  that  Sx  =  {0,  l}mx'K  and  Sy  =  {0,  l}mr'K  for  mx  and  my  s.t. 
1  <  mx  <  my  <  10.  Suppose  also  that  HoofD)  >  {mx  +  niy  —  0.3)  •  n.  Then  for  any  (compu¬ 
tationally  unbounded)  multi-source  leakage  adversary  A,  and  leakage  bound  A  <  0.1k;  taking  the 
following  two  distributions: 


Real  =  („4ALY,yl) 

V  )  {x  ,y)~x> 

Simulated  =  (ax[X,  Tl) 

V  /(.Y,y)~x»< 

it  is  the  case  that  A  {Real,  Simulated)  =  exp(— Ll{n)). 

Moreover,  for  any  w  in  the  support  of  Real:  (i)  we  can  derive  from  X  a  conditional  underlying 
distribution  X{w),  and  from  y  a  conditional  underlying  distribution  y  {w) .  In  particular,  note  that 
V  is  not  needed  for  computing  these  conditional  underlying  distributions.  Taking  V{w)  =  (' D\w )  to 
be  the  conditional  distribution  ofV,  given  leakage  w,  then  V{w )  is  IuO,  with  underlying  distributions 
X{w )  and  y{w). 

Before  proving  the  lemma,  we  consider  a  simple  application  to  multi-source  leakage  from  two 
strings.  In  Real  the  strings  are  uniformly  random  with  inner  product  0,  and  in  Simulated  they 
are  independently  uniformly  random.  By  Lemma  3.11,  the  leakage  in  both  cases  is  statistically 
close.  The  distribution  of  the  strings  in  Real ,  given  the  leakage,  is  IuO,  and  each  of  its  underlying 
distributions  can  be  computed  (separately)  given  the  leakage  (and  that  the  original  underlying 
distribution  were  uniformly  random). 

Proof  of  Lemma  3.11.  Take  w  =  Ax[X,Y].  Since  the  leakage  operates  separately  on  X  and  on  Y, 
there  exist  two  sets  Sx{w )  C  Sx  and  Sy{w)  C  Sy,  s.t.: 

w  =  Ax[X,Y]  4A  {X,  Y)  €  Sx{w)  x  SY{w) 


We  take  X{w)  to  be  X  conditioned  on  A  €  Sx{w ),  and  y{w)  to  be  y  conditioned  on  Y  €  Sy{w ). 
Let  V{w)  =  {T>\w)  be  the  distribution  V  conditioned  on  leakage  w.  By  the  above,  V{w)  is  V 
conditioned  on  {X,  Y)  €  Sx{w> )  x  Sy{w).  Thus,  V{w)  is  also  IuO,  with  underlying  distributions 
X{w)  and  y{w )  and  the  same  orthogonality  as  V. 

Finally,  to  show  that  Real  and  Simulated  are  statistically  close,  let  (3{w)  denote  the  distance  of 
the  inner  product  {X  +  V,  Y) x~x{w),Y~y(w)  from  uniform. 

Claim  3.12.  For  any  w  €  Support{Real) : 


1  -  0{p(w))  < 


Simulated  [ic] 
Real  [re] 


<  1  +  Q{P{w)) 


Proof.  Observe  that: 


Simulated  [re] 
Real[w] 


v  Pr  ,I(X>y)  €  Sx{w)  x  Sy{w)] 

Pr  J(XA)  €  Sx(w)  X  Sy{w)] 

(A ,  Y 

Pr  [(I,y)  e  Si(ic)  x  Sy(w)] 

x~n\y~y'(.Y) 
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where  y'(X)  is  y  conditioned  on  (X  +  V,  Y)  =  b. 
The  claim  follows  because: 


1  -  0(P{w)  •  2mY)  < - Prx~^,r~y[(A  ±VfY) - b\ - <  1  +  0(/3(w)  •  2mY) 

Pr x~x,Y~y[{X  +  V,Y)  =  b\(X,Y)  £  x  SY(w)] 


Claim  3.13.  With  all  but  exp(— fl(ft))  probability  over  w  ~  Real,  j3(w)  =  exp (— H(k)). 

Proof.  By  Lemma  3.8,  with  all  but  5  probability  over  w  ~  Real,  we  have  that  H00{X{w))  + 
Hoo(y(,w))  >  (mj[  +  my  —  0.45)  •  k.  When  this  is  the  case,  by  Lemma  3.7  we  have  /3(u>)  = 
exp(— !)(«)).  i| 

By  Claim  3.12  and  3.13  we  conclude  that  A  (Real,  Simulated )  =  exp(— Q(n)).  M 

3.4  Secure  Compiler:  Definitions 

We  now  present  formal  definitions  for  a  secure  compiler  against  continuous  and  computationally 
unbounded  leakage.  We  view  the  input  to  the  compiler  as  a  circuit  C  that  is  known  to  all  parties 
and  takes  inputs  x  and  y.  The  input  y  is  fixed,  whereas  the  input  x  is  chosen  by  the  user.  The  user 
can  adaptively  choose  inputs  X\,X2,  ■  ■  ■  and  the  functionality  requirement  is  that  on  each  input  x* 
the  user  receives  C{y,Xi).  The  secrecy  requirement  is  that  even  for  a  computationally  unbounded 
adversary  who  chooses  the  inputs  (say  polynomially  many  inputs  in  the  security  parameter),  even 
giving  the  adversary  access  (repeatedly)  to  a  leakage  attack  on  the  secure  transformed  computation, 
the  adversary  learns  nothing  more  than  the  circuit’s  outputs.  In  particular,  the  adversary  should 
not  learn  y.6 

We  divide  a  compiler  into  parts:  the  first  part,  the  initialization  occurs  only  once  at  the  begin¬ 
ning  of  time.  This  procedure  depends  only  on  the  circuit  C  being  compiled  and  the  private  input 
y.  We  assume  that  during  this  phase  there  is  no  leakage.  The  second  part  is  the  evaluation.  This 
occurs  whenever  the  user  wants  to  evaluate  the  circuit  C(y,-)  on  an  input  x.  In  this  part  the  user 
specifies  an  input  x,  the  corresponding  output  C(y,x)  is  computed  under  leakage. 

Definition  3.14  ((A(-),5(k))  Continuous  Leakage  Secure  Compiler).  We  say  that  a  compiler 
(Init,  Eval )  for  a  circuit  family  {Cn(y,  x)}n6pj,  where  Cn  operates  on  two  n-bit  inputs,  is  (A(-),  £(«))- 
secure  under  continuous  leakage,  if  for  every  integer  n,  k  €  N,  and  every  y  £  {0,  l}n,  the  following 
hold: 


•  Initialization:  Init(lK,Cn,y)  runs  in  time  poly(/«,  n)  and  outputs  an  initial  state  states 

•  Evaluation:  for  every  integer  t  <  poly  (ft),  the  evaluation  procedure  is  run  on  the  previous 
state  statet-i  and  an  input  xt  £  {0,  l}n.  We  require  that  for  every  xt  £  {0,  l}n,  when  we  run: 

(outt,  statet)  <—  Eval(statet-i,xt) 

with  all  but  negligible  probability  over  the  coins  of  Init  and  the  t  invocations  of  Eval ,  outt  = 
Cn(y,xt). 

6Unless,  of  course,  y  can  be  computed  from  the  outputs  of  the  circuit  on  the  inputs  the  adversary  chose. 
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•  (A(k),  5(«))-Continuous  Leakage  Security:  There  exists  a  simulator  Sim,  s.t.  for  every  (com¬ 
putationally  unbounded)  leakage  adversary  A,  the  view  Real  a  of  A  when  adaptively  choosing 
T  =  poly(rt)  inputs  {x\,X2,  ■  ■  ■  xt)  while  running  a  continuous  leakage  attack  on  the  sequence 
(Eval(stateo,xi), . . . ,  Eval(stateT-i,XT)),  with  adaptively  and  adversarially  chosen  xt  s,  is 
(5(/c)  ^statistically  close  to  the  view  Simulated  a  generated  by  Sim,  which  only  gets  the  de¬ 
scription  of  the  adversary  and  the  input-output  pairs  ((aq,  C(y,  aq)), . . . ,  (xt,  C{y,  xt )))• 

Formally,  the  adversary  repeatedly  and  adaptively,  in  iterations  t  •$—  1,...,T,  chooses  an 
input  xt  and  launches  a  A(ft)-bit  leakage  attack  on  Eval(statet-i,  xt)  (see  Definition  3.2). 
Real  a, t  is  the  view  of  the  adversary  in  iteration  t ,  including  the  input  xt,  the  output  ot,  and 
the  (aggregated)  leakage  wt  from  the  t-th  iteration.  The  complete  view  of  the  adversary  is 

Real  a  =  {Real  a.  1,  •  •  • ,  Real  a; t) 

a  random  variable  over  the  coins  of  the  adversary,  of  Init  and  of  Eval  (in  all  of  its  iterations). 

The  simulator’s  view  is  generated  by  running  the  adversary  with  simulated  leakage  attacks. 
The  simulator  includes  Simlnit  and  SimEval  procedures.  The  initial  state  is  generated  using 
Simlnit.  Then,  in  each  iteration  t  the  simulator  gets  the  input  xt  chosen  by  the  adversary 
and  the  circuit  output  C(y,xt).  It  generates  simulated  leakage  wt ■  It  is  important  that  the 
simulator  sees  nothing  of  the  internal  workings  of  the  evaluation  procedure.  We  compute: 

state o  Simlnit (1K ,Cn) 

xt  <—  A(SimulatedA,i,  ■  ■  ■ ,  Simulated  a, t- 1) 

( statet ,  Simulated  a, t)  <—  SimEval  (statet-i,  xt, ,  C{y,  xt),A,  Simulated  a.i-,  ■  ■  ■ ,  Simulated  a, t- 1) 

where  SimA,t  is  a  random  variable  over  the  coins  of  the  adversary  when  choosing  the  next 
input  and  of  the  simulator.  The  complete  view  of  the  simulator  is 

Simulated  a  =  {Simulated  a,  i,  •  ■  • ,  Simulated  a; t) 

We  require  that  the  two  views  RealA  and  Simulated  a  are  (exp(— D(/-v))  ^statistically  close. 

We  note  that  modeling  the  leakage  attacks  requires  dividing  the  Eval  procedure  into  sub¬ 
computations.  In  our  constructions,  the  size  of  these  sub-computations  will  always  be  0{nu), 
where  oj  is  the  exponent  in  the  running  time  of  an  algorithm  for  matrix  multiplication. 

4  Leakage-Resilient  One-Time  Pad  (LROTP) 

In  this  section  we  present  the  leakage  resilient  one-time  pad  cryptoscheme,  a  main  component  of 
our  construction.  See  the  overview  in  Section  2.1.  Here  we  specify  the  scheme  and  its  properties 
that  will  be  used  in  the  main  construction. 
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Leakage-Resilient  One-Time  Pad  (LROTP)  Cryptosystem  ( KeyGen ,  Encrypt ,  Decrypt) 

•  KeyGen(lK ):  output  a  uniformly  random  key  €  {0, 1}K  s.t.  key{ 0]  =  1 

•  CipherGen{  1K):  output  a  uniformly  random  c  €  {0, 1}K  s.t.  c[l]  =  1. 

•  Encrypt(key,  b  €  {0, 1}):  output  a  uniformly  random  c  €  {0, 1}K  s.t.  c[l]  =  1  and  (key,  c)  =  b 

•  Decrypt(key,c ):  output  (key,c) 

Figure  1:  Leakage- Resilient  One-Time  Pad  (LROTP)  Cryptosystem 

4.1  Semantic  Security  under  Multi-Source  Leakage 

Definition  4.1  (Semantic  Security  Under  A(-)-Multi-Source  Leakage).  An  encryption  scheme 
(KeyGen,  Encrypt,  Decrypt )  is  semantically  secure  under  computationally  unbounded  multi-source 
leakage  attacks  if  for  every  (unbounded)  adversary  A,  when  we  run  the  game  below,  the  adversary’s 
advantage  in  winning  (over  1/2)  is  exp(— fl(re)): 

1.  The  game  chooses  key  key  <—  KeyGen(\K),  chooses  uniformly  at  random  a  bit  b  {0, 1}, 
and  generates  a  ciphertext  c«—  Encrypt  (key  ,b) . 

2.  The  adversary  launches  a  leakage  attack  on  key  and  c,  and  outputs  a  “guess”  b': 

b'  <-  Ax^(lK)[key,c\ 


the  adversary  wins  if  b'  =  b. 

Lemma  4.2.  The  LROTP  cryptosystem,  as  defined  in  Figure  1,  is  semantically  secure  in  the 
presence  of  multi- source  leakage  with  leakage  bound  A(re)  =  re/3. 

Proof.  The  proof  follows  directly  from  Lemma3.11.  I 

4.2  Key  and  Ciphertext  Refreshing 

As  discussed  in  the  introduction,  the  LROTP  scheme  supports  procedures  for  injecting  new  entropy 
into  a  key  or  a  ciphertext.  This  is  done  using  entropy  generators  KeyEntGen  and  CipherEntGen. 
The  values  these  procedures  produce  can  be  used  to  refresh  a  key  or  ciphertext  using  KeyRefresh 
or  CipherRefresh  (respectively).  Key  entropy  a  can  also  be  used,  without  knowledge  of  key ,  to 
correlate  a  ciphertext  c  so  that  the  plaintext  underlying  the  correlated  ciphertext  <f  under  key'  «— 
KeyRefresh(key,a),  is  equal  to  the  plaintext  underlying  c  under  key.  This  is  done  using  the 
Cipher  Correlate  procedure. A  similar  KeyCorrelate  procedure  for  correlating  keys  using  ciphertext 
entropy.  These  procedures  are  all  in  Figure  2  below. 

We  proceed  with  a  discussion  of  the  security  properties  of  the  refreshing  procedures,  and  their 
limitation.  For  a  key-ciphertext  pair  (key,c),  a  refresh  operation  on  the  pair  injects  new  entropy 
into  the  key  and  the  ciphertext,  while  maintaining  the  underlying  plaintext,  as  follows: 

1 .  a  <—  KeyEntGen(lK) 

2.  key'  <—  KeyRefresh(key,a) 
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LROTP  key  and  ciphertext  refresh 

•  KeyEntGen(  1K)  :  output  a  uniformly  random  a  £  {0, 1}K  s.t.  cr[0]  =  0 

•  KeyRefresh(key}cr)  :  output  key  (B  a 

•  CipherCorrelate(c,  o)  :  modify  c[0]  £-  c[0]  ®  (c,a),  and  then  output  c 

•  Cipher EntGen(lK)  :  output  a  uniformly  random  r  £  {0, 1}K  s.t.  r[l]  =  0 

•  Cipher Refresh{c,r)  :  output  c®r 

•  KeyCorrelate(key,r)  :  modify  key[  1]  £-  key[l]  ®  ( key,r ),  and  then  output  key 

Figure  2:  LROTP  key  and  ciphertext  refresh  Cryptosystem 

3 . <?•£-  CipherCorrelate(c,  a) 

4.  7r  <—  Cipher EntGen(lK) 

5.  i —  CipherRefresh(P ,  ir) 

6.  key"  £-  Key  Correlate  (key' ,  ir) 

The  output  of  the  refresh  operation  is  (key",c").  We  treat  each  step  of  the  key-refresh  as  a 
sub-computation,  and  so  the  leakage  operates  separately  on  the  keys  and  on  the  ciphertexts. 

Security  Properties.  The  security  properties  of  the  refreshing  procedures  are,  first,  that  a  key- 
ciphertext  pair  can  be  refreshed  without  ever  loading  the  key  and  ciphertext  into  memory  at  the 
same  time,  i.e.  while  operating  separately  on  the  key  and  on  the  ciphertext.  We  will  use  this  to 
argue  that  an  OC  leakage  adversary  learns  nothing  about  the  plaintext  bit  underlying  a  pair  that 
is  being  refreshed  (as  long  as  the  total  amount  of  leakage  is  bounded).  The  second  property  we  use 
is  that  without  any  leakage ,  a  the  refreshed  pair  is  a  uniformly  random  key-ciphertext  pair  with  the 
same  underlying  plaintext  bit. 

We  use  these  properties  to  prove  security  of  the  Permute  procedure  which  is  used  in  SafeNAND 
(see  Sections  2.2.1  and  6.2).  Permute  proceeds  in  iterations.  In  each  iteration,  we  refresh  a  tuple 
of  key-ciphertext  pairs  and  then  permute  them  using  a  random  permutation.  The  property  of  the 
refresh  procedure  that  we  will  use  is  that  without  any  leakage ,  even  given  both  the  input  and  the 
output  of  a  single  iteration  of  Permute ,  nothing  is  leaked  about  the  permutation  chosen  (beyond 
what  can  be  gleaned  from  the  underlying  plaintexts).  This  will  then  be  used  to  argue  that,  even 
under  a  bounded  amount  of  leakage  from  each  iteration,  the  permutation  chosen  in  each  iteration 
of  Permute  has  (w.h.p.)  high  entropy.  This  is  later  used  to  prove  the  security  of  SafeNAND . 

Refresh  Forever?  It  is  natural  to  ask  whether  key-ciphertext  refreshing  maintains  security  of  the 
underlying  plaintext  under  OC  leakage  for  an  unbounded  polynomial  number  of  refreshings.  If  so, 
we  could  hope  to  do  away  with  the  (significantly  more  complicated)  ciphertext  banks,  replacing  the 
ciphertexts  generated  by  each  bank  with  a  sequence  of  ciphertexts  generated  using  repeated  refresh 
calls.  Unfortunately,  there  is  an  OC  attack  that  exposes  the  plaintext  underlying  a  key-ciphertext 
pair  that  is  refreshed  too  many  times.  The  attack  is  outlined  below. 
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We  consider  a  sequence  of  refresh  operations,  where  the  output  of  the  z-th  refresh  is  used  as 
input  for  the  (i  +  l)-th  refresh.  During  the  first  refresh,  an  OC  adversary  leaks  the  inner  product 
(i.e.  the  product)  of  the  first  bit  of  the  output  key  and  the  first  bit  of  the  output  ciphertext.  This 
requires  only  one  bit  of  leakage  from  each.  In  the  second  refresh,  the  adversary  will  learn  the  inner 
product  of  the  first  two  bits  of  the  output  key  and  the  output  ciphertext.  To  do  so,  let  (keyl,  dj)  be 
the  inputs  to  the  second  refresh.  The  adversary  leaks  the  second  bits  of  key2  during  KeyRefresh, 
and  of  c*2  during  Cipher  Refresh.  It  also  keeps  track  of  the  change  in  inner  product  of  the  first  bit 
of  key'i  =  (key  i  +  a)  and  of  =  Cipher  Correlate(c\,  cr)  using  a  single  bit  of  leakage:  The  change 
(w.r.t.  the  inner  product  of  key {  and  ci)  is  just  a  function  of  a  and  ci,  which  are  loaded  into 
memory  during  Cipher  Correlate.  Similarly,  the  adversary  can  keep  track  of  the  subsequent  change 
to  the  inner  product  of  the  first  bits  of  key2  =  K ey  Correlate  (key  it)  and  C2  =  3)  ©  7r,  using  a 
single  bit  of  leakage  from  Key  Correlate.  Putting  these  pieces  together,  the  adversary  learns  the 
inner  product  of  the  first  two  bits  of  key2  and  C2.  More  generally,  after  the  z-th  refresh  call,  the 
key  point  is  that  if  the  adversary  knows  the  inner  product  of  the  first  i  bits  of  the  input  key  and 
ciphertext,  it  can  track  the  change  in  this  inner  product  for  the  output  key  and  cipher.  Tracking 
the  change  requires  only  two  bits  of  OC  leakage.  The  adversary  uses  two  additional  bits  of  OC 
leakage  to  expand  its  knowledge  to  the  inner  product  of  the  first  (i  +  1)  bits. 

Continuing  the  above  attack  for  k  refresh  calls,  the  adversary  learns  the  inner  product  of  the 
key  and  ciphertext  obtained,  i.e.  the  underlying  plaintext  is  exposed.  Note  that  this  used  only 
0(1)  bits  of  leakage  from  each  sub-computation.  If  £  bits  of  leakage  from  each  sub-computation 
were  allowed,  then  the  underlying  plaintext  would  be  exposed  after  0(k/£ )  refresh  calls.  When 
using  refresh,  we  will  take  care  that  the  total  leakage  accumulated  from  a  sequence  of  refresh  calls 
to  a  key-ciphertext  pair  will  be  well  under  k  bits.  Since  refresh  operates  separately  on  keys  and 
ciphertexts,  the  semantic  security  of  LROTP  in  the  presence  of  multi-source  leakage  will  guarantee 
that  the  underlying  plaintext  is  hidden. 

4.3  “Safe”  Homomorphic  Computations 

The  LROTP  cryptoschenre  supports  homomorphic  computation  on  ciphertexts  as  follows: 

Homomorphic  Addition.  For  key  and  two  ciphertexts  cj,C2,  we  can  homomorphically  add  by 
computing  (ci  ®  ci).  By  linearity,  the  plaintext  underlying  is  the  XOR  of  the  plaintexts 
underlying  cj  and  ci- 

Homomorphic  NAND.  LROTP  supports  safe  computation  of  a  masked  NAND  functionality. 
This  functionality  takes  three  input  key-ciphertext  pairs,  and  outputs  the  NAND  of  the  first  two 
underlying  plaintexts,  XORed  with  the  third  underlying  plaintext.  Moreover,  this  can  be  performed 
via  the  SafeNAND  procedure,  which  guarantees  that  even  an  OC  leakage  attacker  who  gets  leakage 
on  the  computation,  learns  nothing  about  the  input  plaintexts  beyond  the  procedure’s  output.  See 
Sections  2.2.1  and  6  for  details. 

We  note  that  this  can  be  extended  to  “standard”  homomorphic  computation  of  NAND,  where 
the  input  is  two  key-ciphertext  pairs,  and  the  output  is  a  “blinded”  key-ciphertext  pair  whose 
underlying  plaintext  is  the  NAND  of  the  plaintexts  underlying  the  inputs.  The  details  are  omitted 
(this  second  property  follows  from  the  security  of  SafeNAND ,  but  is  not  used  in  our  construction). 


24 


Approved  for  Public  Release;  Distribution  Unlimited. 
598 


5  Ciphertext  Banks 


In  this  section  we  present  the  procedures  for  maintaining,  utilizing,  and  simulating  banks  of  secure 
ciphertexts.  We  use  these  to  create  fresh  secure  ciphertexts  under  leakage  attacks.  The  security 
property  we  want  is  that,  even  though  the  generation  of  new  ciphertexts  is  done  under  leakage,  a 
simulator  can  create  an  indistinguishable  simulated  view  with  complete  and  arbitrary  control  over 
these  ciphertexts’  underlying  plaintexts.  See  Section  2.3.1  for  an  overview. 

This  section  is  organized  as  follows.  In  Section  5.1  we  describe  the  ciphertext  bank  procedures, 
and  those  of  the  simulator,  and  state  the  security  properties  that  will  be  used  in  the  main  construc¬ 
tion  (the  profs  follow  in  subsequent  sections).  These  procedures  make  use  of  secure  procedures  for 
piecemeal  matrix  multiplication  and  for  refreshing  collections  of  ciphertexts,  which  are  in  section 
Section  5.2.  In  Section  5.3  we  define  piecemeal  attacks  on  matrices  and  prove  that  random  matrices 
are  resilient  to  piecemeal  leakage.  In  Section  5.4  we  state  and  prove  security  properties  of  piece¬ 
meal  matrix  multiplication.  Finally,  we  use  these  claims  to  prove  the  ciphertext  bank’s  security. 
We  conclude  with  proofs  of  the  ciphertext  bank’s  security  in  Section  5.5. 

5.1  Ciphertext  Bank:  Interface  and  Security 

We  present  a  full  description  of  the  ciphertext  bank  procedures  and  simulator.  Recall  that  (as  in 
Section  4),  keys  and  ciphertexts  are  vectors  in  {0, 1}K,  and  the  decryption  of  ciphertext  c  under 
key  is  the  inner  product  b  =  ( key,c ).  We  call  b  the  plaintext  underlying  ciphertext  c. 

Ciphertext  Bank  Procedures.  The  ciphertext  bank  is  used  to  generate  fresh  ciphertext-key 
pairs.  The  bank  is  initialized  (without  leakage)  using  a  Banklnit  procedure  that  takes  as  input  a 
bit  b  €  {0, 1}.  It  can  then  be  accessed  (repeatedly)  using  a  BankGen  procedure,  which  produces  a 
key-ciphertext  pair  whose  underlying  plaintext  is  b.  Between  generations,  the  bank’s  internal  state 
is  updated  using  a  BankUpdate  Procedure.  Leakage  from  a  sequence  of  BankGen  and  BankUpdate 
calls  can  be  simulated.  The  simulator  has  arbitrary  control  over  the  plaintext  bits  underlying  the 
generated  ciphertexts.  Simulated  leakage  is  statistically  close  to  leakage  from  the  real  calls. 

In  addition,  we  provide  a  BankRedraw  procedure. The  BankRedraw  procedure  re-draws  a  uni¬ 
formly  random  plaintext  bit  that  will  underly  ciphertexts  produced  by  the  bank.  The  redrawn 
plaintext  bit  looks  uniformly  random  even  in  the  presence  of  leakage  on  the  BankRedraw  procedure 
(and  on  all  ciphertext  generations). 

These  functionalities  are  implemented  as  follows.  The  ciphertext  bank  consists  of  key  and  a 
collection  C  of  2k  ciphertexts.  We  view  C  as  a  k  x  2k  matrix,  whose  columns  are  the  ciphertexts. 

In  the  Banklnit  procedure,  on  input  b,  the  keys  is  drawn  uniformly  at  random,  and  the  columns 
of  C  are  drawn  uniformly  at  random  s.t  their  inner  product  with  key  is  b.  This  invariant  will  be 
maintained  throughout  the  ciphertext  bank’s  operation.  We  sometimes  refer  to  b  as  the  ciphertext 
bank’s  underlying  plaintext  bit. 

The  BankGen  procedure  outputs  a  linear  combination  of  C s  columns.  The  linear  combination 
is  chosen  uniformly  at  random  s.t.  it  has  parity  1.  This  guarantees  that  it  will  yield  a  ciphertext 
whose  underlying  plaintext  is  b.  The  linear  combination  is  taken  using  a  secure  “piecemeal”  matrix- 
vector  multiplication  procedure  PiecemealMM . 

The  BankUpdate  procedure  injects  new  entropy  into  key  and  into  C.  We  refresh  the  key  using 
a  (“piecemeal”)  key  refresh  procedure  PiecemealRefresh.  We  refresh  C  by  multiplying  it  with  a 
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random  matrix  whose  columns  all  have  parity  1.  Matrix  multiplication  is  again  performed  securely 
using  PiecemealMM . 

The  BankRedraw  procedure  adds  a  uniformly  random  vector  in  {0, 1}K  to  each  column  of  C 
(here  key  is  left  unchanged).  With  probability  1/2,  the  vector  has  inner  product  1  with  key ,  and  the 
underlying  plaintext  bit  is  flipped.  Otherwise,  the  underlying  plaintext  bit  is  unchanged.  Adding 
the  vector  to  each  column  of  the  matrix  is  performed  using  a  secure  PiecemealAdd  procedure. 

The  full  ciphertext  bank  procedures  are  in  Figure  3.  The  piecemeal  matrix  multiplication, 
addition,  and  key  refresh  procedures  are  below  in  Section  5.2. 


Banklnit^jb):  initializes  a  ciphertext  bank;  No  leakage 

1.  pick  key  <—  KeyGen(  1K) 

2.  for  it—  1, . . .  2k:  C[i]  t—  Encrypt(key ,  b ) 

3.  output  Bank  t—  (key,  C ) 

BankGen(Bank):  generates  a  new  ciphertext;  Under  leakage 

1.  pick  f  €r  {0,  1}2k  with  parity  1 

2.  c  t—  PiecemealMM  (C,r) 

3.  output  ( key,c) 

BankUpdate(Bank):  updates  the  bank  between  generations;  Under  leakage 

1.  refresh  the  key: 

( key',D )  t—  PiecemealRefresh(key ,  C) 

2.  refresh  the  ciphertexts: 

pick  R  Gr  {0,  1}2kx2k  g.t.  its  columns  all  have  parity  1, 

C  t—  PiecemealMM  (D ,  R) 

3.  Bank  t—  (key  ,  C) 

BankRedraw  (Bank):  re-draws  the  bank’s  underlying  plaintext  bit;  Under  leakage 

1.  pick  v  {0, 1}K,  compute  C' t—  Piecemeal  Add  (C,v) 

2.  Bank  t—  ( key,C' ) 

Figure  3:  Ciphertext  Bank 


Simulated  Ciphertext  Bank.  Next,  we  provide  a  simulator  for  simulating  the  ciphertext  bank 
procedure,  while  arbitrarily  controlling  the  plaintext  bits  underlying  the  ciphertexts  that  are  pro¬ 
duced.  Towards  this  end,  we  maintain  a  simulated  ciphertext  bank,  consisting  of  a  key  and  a  matrix, 
similarly  to  the  real  ciphertext  bank.  These  are  initialized,  without  leakage,  in  a  SimBanklnit  pro¬ 
cedure  that  draws  key  and  the  columns  of  C  uniformly  at  random  from  {0, 1}K.  Note  that  here, 
unlike  in  the  real  ciphertext  bank,  the  plaintexts  underlying  C' s  columns  are  independent  and  uni- 
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formly  random  bits  (rather  than  all  0  or  all  1).  The  simulator  also  keeps  track  of  the  plaintexts 
bits  underlying  the  columns  of  C .  storing  them  in  a  vector  x  €  {0,  1}2k. 

Calls  to  BankGen  are  simulated  using  SimBankGen.  This  procedure  operates  similarly  to 
BankGen,  except  that  it  uses  a  biased  linear  combination  of  C’s  columns  to  control  the  plaintext 
underlying  its  output  ciphertext.  We  also  provide  SimBankUpdate  and  SimBankRedraw  procedures. 
These  operate  similarly  to  BankUpdate  and  BankRedraw ,  except  that  they  keep  track  of  changes 
to  the  vector  x  of  plaintext  bits  underlying  C.  The  simulation  procedures  are  in  Figure  4. 


SimBankInit{  1K);  No  leakage 

1.  pick  key  4—  KeyGen{  1K),  x  €r  {0,  1}2k 

2.  for  i  4—  1, . . .  to:  C[i ]  4—  Encrypt(key ,  x[i\) 

3.  output  Bank  4—  ( key,C );  Save  also  x 

SimB  ankGen(B  ank ,  b) 

1.  pick  r  Gr  {0,  l}2f"  with  parity  1,  and  s.t.  (x,r)  =  b 

2.  run  exactly  as  in  BankGen,  except  in  Step  1  use  the  above  “biased”  r 
leakage  is  (only)  on  this  operation  of  BankGen  (with  the  biased  r) 

SimB  ankUpdate(B  ank ) 

1.  run  exactly  as  in  BankUpdate 

leakage  is  (only)  on  this  operation  of  BankUpdate 

2.  update  x  to  contain  the  new  bits  underlying  the  updated  C 

SimB  ankRedraw  ( B  ank ) 

1.  run  exactly  as  in  BankRedraw 

leakage  is  (only)  on  this  operation  of  BankRedraw 

2.  update  x  to  contain  the  new  bits  underlying  the  updated  C 

Figure  4:  Simulated  Ciphertext  Bank 


Ciphertext  Bank  Security.  We  show  several  security  properties  of  the  ciphertext  bank.  In  all 
of  these  security  properties,  we  consider  sequences  of  ciphertext  bank  generations,  real  or  simulated. 
A  sequence  of  real  generations  starts  with  a  call  to  Banklnit  to  initialize  the  ciphertext  bank.  This 
is  followed  by  a  sequence  of  ciphertext  generations,  each  performed  via  a  call  to  BankGen ,  and 
followed  by  an  update  call  to  BankUpdate.  A  sequence  of  simulated  generations  is  similar,  except 
that  initialization  is  performed  using  SimBanklnit,  each  generation  is  performed  by  specifying 
an  underlying  plaintext  bit  b  and  then  calling  SimBankGen ,  and  each  update  is  performed  using 
SimB  ank  Update . 

We  also  consider  sequences  of  random  generations  of  ciphertext-pairs.  A  sequence  of  real  ran¬ 
dom  generations  begins  with  an  initialization  call  to  Banklnit  with  a  uniformly  random  bit  value. 
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This  is  followed  by  a  sequence  of  generations  as  follows.  For  each  item  in  the  sequence,  we  be¬ 
gin  by  generating  a  key  and  two  ciphertexts,  c**  and  cr  (both  with  the  same  underlying  plaintext 
bit).  Next,  we  call  BankRedraw  to  redraw  the  bank’s  underlying  plaintext  bit.  Lastly,  we  up¬ 
date  the  bank  using  BankUpdate.  This  is  done  repeatedly,  yielding  a  sequence  of  keys  and  pairs 
of  ciphertexts,  where  the  plaintext  bit  underlying  each  ciphertext  pair  is  independent  and  uni¬ 
formly  random.  A  sequence  of  simulated  random  generations  is  performed  similarly,  except  that 
Banklnit,  BankRedraw ,  BankUpdate  are  replaced  by  SimBanklnit ,  SimBankRedraw ,  SimBankUpdate , 
and  each  pair  of  calls  to  BankGen  is  replaced  by  a  pair  of  calls  to  SimBankGen  with  some  specified 
plaintext  bit  b  (we  will  always  use  the  same  plaintext  bit  b  in  both  generations). 

We  now  describe  several  security  properties  for  sequences  of  real  and  simulated  generations 
and  random  generations  of  pairs.  Intuitive  description  are  listed  below,  and  the  formal  lemma 
statements  follow. 

Real  and  simulated  sequences,  identical  underlying  plaintexts.  Consider  an  OC  leakage 
attacker’s  “real”  view,  given  leakage  from  a  real  sequence  of  generations  using  a  bank  initialized 
with  bit  b.  Consider  also  a  “simulated”  view  for  the  same  attacker,  given  leakage  from  a  simulated 
sequence  of  calls,  where  all  calls  to  SimBankGen  specify  the  same  underlying  plaintext  bit  b.  I.e.,  the 
plaintexts  underlying  the  ciphertexts  generated  in  these  real  and  simulated  views  are  all  identical. 
We  show  that  the  distributions  of  the  leakage  obtained  in  these  two  views,  in  conjunction  with  the 
explicit  list  of  key- ciphertext  pairs  produced,  are  statistically  close. 

This  is  stated  formally  in  Lemma  5.1  below.  The  proof  is  in  Section  5.5. 

Two  simulated  sequences,  different  underlying  plaintexts.  Consider  an  OC  leakage  at¬ 
tacker’s  view,  given  two  simulated  sequences  of  generations.  The  two  sequences  each  produce  the 
same  number  of  ciphertexts,  but  differ  in  the  underlying  plaintext  bits  that  are  specified. 

We  show  that  the  distributions  of  leakage  obtained  in  these  two  views  are  statistically  close.  Note 
that,  unlike  the  previous  property,  here  statistical  closeness  does  not  hold  in  conjunction  with  the 
explicit  keys  and  ciphertexts  produced  (since  the  underlying  plaintexts  differ).  We  note  also  that, 
combining  this  with  the  previous  property,  we  conclude  statistical  closeness  of  leakage  distributions 
produced  by  an  OC  attack  on  a  real  sequence  and  on  a  simulated  sequence  with  different  underlying 
plaintexts  (leakage  only  -  without  the  explicit  plaintext  and  ciphertext  produced). 

This  is  stated  formally  in  Lemma  5.2  below.  The  proof  is  in  Section  5.5. 

Single  simulated  sequence,  independence  up  to  orthogonality.  Consider  an  OC  leakage 
attack  on  a  (single)  sequence  of  simulated  generations.  We  show  that,  given  the  leakage  in  the 
attack,  the  (joint)  distribution  of  keys  and  ciphertexts  produced,  is  independent  up  to  orthogonality 
(see  Definition  3.10).  Moreover,  the  underlying  distributions  on  keys  and  ciphertexts  depend  only 
on  the  leakage  (and  the  adversary),  but  not  on  the  sequence  of  bits  given  as  input  to  the  simulated 
generations.  Finally,  these  underlying  (conditional)  distributions  have  high  entropy  on  each  key 
and  each  ciphertext  produced. 

Intuitively,  this  means  that  the  keys  and  ciphertexts  produced  will  be  resilient  to  subsequent 
multi-source  leakage.  I.e.,  bounded  leakage  that  operates  separately  on  keys  and  on  ciphertexts  will 
not  be  able  to  distinguish  the  underlying  plaintexts.  We  note  that  independence  up  to  orthogonality 
holds  even  given  the  list  of  ciphertexts  in  the  bank  in  all  generations  and  all  randomness  used  by 
the  ciphertext  except  the  randomness  for  generating  the  “target”  key  and  ciphertext. 
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This  is  stated  formally  in  Lemma  5.3  below.  The  proof  is  in  Section  5.5. 

Real  and  simulated  sequences  of  random  generations.  Consider  an  OC  leakage  attacker’s 
“real”  view,  given  leakage  from  a  real  sequence  of  random  generations  of  ciphertext  pairs.  Consider 
also  a  “simulated”  view  for  the  same  attacker,  given  leakage  from  a  simulated  sequence  of  calls, 
where  each  pair  of  calls  to  SimBankGen  specify  a  uniformly  random  bit  (independent  of  all  other 
pairs).  In  particular,  the  plaintexts  underlying  the  ciphertexts  generated  in  these  real  and  simulated 
views  are  identically  distributed  (uniformly  random  for  each  pair  independently).  We  show  that 
the  distributions  of  the  leakage  obtained  in  these  two  views,  in  conjunction  with  the  explicit  list  of 
keys  and  ciphertext  pairs  produced,  are  statistically  close. 

This  is  stated  formally  in  Lemma  5.4  below.  This  is  similar  to  the  guarantee  of  Lemma  5.1  and 
we  omit  the  proof. 

Single  simulated  sequence  of  random  generations,  independence  up  to  orthogonality. 

Consider  an  OC  leakage  attack  on  a  (single)  sequence  of  simidated  random  generations  of  pairs  of 
ciphertexts.  We  show  that,  given  the  leakage  in  the  attack,  the  (joint)  distribution  of  keys  and 
ciphertexts  produced,  is  independent  up  to  orthogonality  (see  Definition  3.10).  Moreover,  the  under¬ 
lying  distributions  on  keys  and  ciphertexts  depend  only  on  the  leakage  (and  the  adversary),  but  not 
on  the  sequence  of  underlying  plaintext  bits.  Finally,  these  underlying  (conditional)  distributions 
have  high  entropy  on  each  key  and  each  ciphertext  produced. 

Intuitively,  this  means  that  the  keys  and  ciphertexts  produced  will  be  resilient  to  subsequent 
multi-source  leakage.  I.e.,  bounded  leakage  that  operates  separately  on  keys  and  on  ciphertexts 
will  not  be  able  to  distinguish  the  underlying  plaintexts.  Moreover,  within  each  pair  of  ciphertexts, 
independence  up  to  orthogonality  for  the  key  and  each  ciphertext  separately  continues  to  hold 
even  if  the  other  ciphertext  in  the  pair  is  released  in  its  entirety.  We  note  that,  as  was  the  case 
above,  independence  up  to  orthogonality  holds  even  given  the  list  of  ciphertexts  in  the  bank  in  all 
generations  and  all  randomness  used  by  the  ciphertext  except  the  randomness  for  generating  the 
“target”  key  and  ciphertext. 

This  is  stated  formally  in  Lemma  5.5  below.  The  guarantee  is  quite  similar  to  that  of  Lemma 
5.3  and  we  omit  the  proof. 

Lemma  5.1.  There  exists  a  leakage  bound  X(k)  =  kl(n),  and  a  distance  bound  S(k)  =  exp(— Ll(n)), 
s.t.  for  any  bit  b  G  {0, 1},  security  parameter  execution  bound  T  =  poly(«),  and  (computa¬ 

tionally  unbounded)  leakage  adversary  A: 

Let  Real  and  Simidated  be  as  follows,  where  in  Real  we  begin  by  running  Banko  Banklnit(b) , 
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and  in  Simulated  we  begin  by  running  Banko  4—  SimBanklnit  (both  without  leakage): 

Real  =  A{((key0,co)  <—  BankGen(Banko))x(K\ 

( Banki  4—  BankUpdate{Banko))x^K\  keyo,  cq, 

{{key  1,  ci)  4—  BankGen{Bank\))x(K\ 

{Bank-2  •*—  BankUpdate{Banki))x^K\keyi,ci, 

{{keyT_1,CT~  1)  4-  BankGen{BankT-i))X('K'\ 

{Bankx  4—  BankUpdate{BankT~i))X^K\  keyT_i,  ct-i} 

Simulated  =  A{{(key0,co)  4—  SimBankGen{Banko,b))x^K\ 

{Banki  4—  SimBankUpdate{Banko))x<'K\  key0,  cq, 
{{keyi,ci)  4—  SimBankGen{Banki,b))x<yK\ 

{Bank-2  4—  SimBankUpdate{Banki))x<'K\  keyx,  c\ , 

{{keyT_i,CT~  1)  •$—  SimBankGen{BankT-i,b))X^\ 

{Bankx  SimBankUpdate{BankT-i))X('K\  keyT_i,CT~i} 


then  A  {Real,  Simulated )  =  £(«). 

Lemma  5.2.  There  exists  a  leakage  bound  \{k)  =  and  a  distance  bound  5{k)  =  exp(— LI{k)), 

s.t.  for  any  security  parameter  k  €  N,  any  execution  bound  T  =  poly(«),  any  vectors  b',  b"  €  {0, 1}T, 
and  any  (computationally  unbounded)  leakage  adversary  A: 

Let  Simulated'  and  Simulated "  be  the  following  two  distributions,  where  in  both  distributions  we 
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begin  by  running  Banko  4—  SimBanklnit  (without  leakage): 

Simulated'  =  {[(key0,co)  4—  SimBankGen(Banko,b'[0])\, 

[Bank\  4—  SimBankUpdate(Banko )], 

[(key1,c\)  4—  SimBankGen(Banki,b'[l])\, 

[Bank2  4—  SimBankUpdate(Banki)], 

[(keyT_l,or~  1)  4—  SimBankGen(BankT-i,b'[T  —  1])] 

[Bankx  4—  SimBankUpdate(BankT-i)]} 

Simulated"  =  Ax^ {[(key 0,co,  Bank i)  4—  SimBankGen(Banko,b"[0])\, 

[Bank\  4—  SimBankUpdate(Banko)], 

[(key i,  ci,  Bank2)  4—  SimBankGen(Banki,b"[l])\, 

[Bank2  4—  SimBankUpdate(Bank\ )], 

[(keyT_1,  ct-i,  Bankr)  4—  SimBankGen(BankT-i,b"[T  —  1])] 
[Bankn  4—  SimBankUpdate(BankT-i)]} 


then  /^.(Simulated' ,  Simulated")  =  S(k). 

Lemma  5.3.  There  exists  a  leakage  bound  X(n)  =  Q(k),  and  a  probability  bound  5(k )  =  exp(— LI(k)), 
s.t.  for  any  k  €  N,  any  execution  bound  T  =  poly(«:),  any  vector  b  G  {0, 1}T;  and  any  (computa¬ 
tionally  unbounded)  leakage  adversary  A,  the  following  holds: 

Let  Simulated  be  the  following  distribution,  where  we  begin  by  running  Banko  4—  SimBanklnit 
(without  leakage): 

Simulated  =  Ax^^ {[(key0,  cq)  4—  SimBankGen(Banko,b[0])], 

[Bank i  4—  SimBankUpdate(Banko)], 

[(key i,  c{)  4—  SimBankGen(Bank\,b[l])\, 

[Bank2  4—  SimBankUpdate(Banki)], 

•  •  *  5 

[(keyT_i,or~ i)  4—  SimBankGen(BankT-i,b[T  —  1])] 

[Bankx  4—  SimB ank  Update  ( B ankx-  i  ) ] } 


For  any  w  in  the  support  of  Simulated,  and  for  any  i  £  [T],  fixing  all  ciphertexts  except  the 
i-th  pair  produced,  let  Di(w )  be  the  joint  distribution  of  (key^cf)  given  w  and  the  remaining  T  —  1 
ciphertexts.  There  exist  distributions  Ki(w)  and  Ci(w)  s.t.  the  following  holds:1 

The  distribution  T>i(w )  is  IuO  with  orthogonality  b[i\  and  underlying  distributions  Ki(w )  and 
Ci(w).  With  all  but  5(n )  probability  over  the  choice  (by  Simulated)  ofw  and  of  all  ciphertexts  except 
the  i-th,  the  min-entropy  of  K.i(w)  and  of  Ci(w)  is  at  least  k  —  0(X(k)). 

'Note  that  these  distributions  do  not  depend  on  bi  (they  depend  only  on  w,  on  A  and  on  the  T  —  1  remaining 
ciphertexts) . 
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Lemma  5.4.  There  exists  a  leakage  bound  A(ft)  =  Q(k),  and  a  distance  bound  5(k )  =  exp(— fi(ft)), 
s.t.  for  any  security  parameter  k  €  N,  execution  bound  T  =  poly  (ft),  and  (computationally  un¬ 
bounded)  leakage  adversary  A: 

Let  Real  and  Simidated  be  as  follows.  Choose  b  {0, 1}T.  In  Real,  we  begin  by  running 
Banka  4—  Banklnit(b[ 0]).  In  Simulated  we  begin  by  running  Banka  SimBanklnit: 

Real  =  A{((key0,  Cq)  4—  BankGen{Banka))X<"K\  (key0,  Cq  4—  BankGen(Banka))X('K\ 

( Bank'0  4—  BankRedraw{Banka))X^\  ( Bank\  4-  BankUpdate(Bank'0))x^K\ 
keyo,Co,CQ, 

(( key1,cf )  4—  BankGen(Banki))x^K\((keyi,c^)  4—  BankGen(Bank\))x ^ 

(Banki  4—  BankRedraw(Banki))x^K\  (A^ Bank2  4—  BankUpdate(Bank'1))x^K\ 
keyi,cf,(^, 

((keyT_llcf_1)  <—  BankGen(BankT-i))X^K\  ((A:e?/r_1,  c^,_1)  •$—  BankGen(BankT- i))A^ 
(Bank,T_1  4—  BankRedraw(BankT-i))X('K\  ( Bankx  4—  BankUpdate(Bank'T_1))x(-K\ 
key t_\i  ct~i ,  } 

Simulated  =  A{((key0,  Cq)  SimBankGen(Banka,  6[0]))A^K\  ( key0,c ^  4—  SimBankGen(Banko,b[0]))x^K\ 
( Bank'0  4—  SimBankRedraw{Banka))X^\  ( Bank±  4—  SimBankUpdate(Bank'0))x<yK\ 
key0 ,Cq,^, 

((fcey^c/)  SimBankGen(Bank\,  6[1]))A^K\  (( key1,  cf)  SimBankGen(Banki) ,  &[1])A^ 

(. Bank'i  4—  SimBankRedraw(Bank\))x^K\  (Bank2  4—  SimBankUpdate(Bank'1))x('K'\ 
keyi,cf,c^, 

((keyT_ll  cf._1)  SimBankGen(BankT-i,  b[T  —  1]))A^K\ 

((keyT__ll  c^_1)  4 —  SimBankGen(BankT-i,b[T  —  1]))A^K\ 

( Bank'T_1  4—  SimBankRedraw(BankT~i))X^K\  {Bankx  4—  SimBankUpdate(Bank,T_1))x ^ 
keyT_l ,  Cj'_1 ,  cT_1 } 


f/ien  A  (Real,  Simidated )  =  5(ft). 

Lemma  5.5.  There  exists  a  leakage  bound  X(k)  =  Q(k),  and  a  probability  bound  5(k)  =  exp(— fl(ft)), 
s.t  /or  any  ft  €  N,  any  execution  bound  T  =  poly(ft),  any  vector  b  G  {0, 1}T,  and  any  (computa¬ 
tionally  unbounded)  leakage  adversary  A,  the  following  holds: 
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Let  Simulated  be  the  following  distribution,  where  we  begin  by  running  Banko  4—  SimBanklnit: 


Simidated  =  A{((key0,  Cq)  4—  SimBankGen(Banko,  6[0]))A^K\  (key0,  Cq  4—  SimBankGen(Banko,b[0]))x^K\ 
( Bank'0  4—  SimBankRedraw(Banko))x^\(Banki  4—  SimBankUpdate(Bank'0))x^K\ 

key0,c%,4, 

((key  i,  iff)  <—  SimBankGen(Banki,  6[1]))A^K\  ((key1,  cf )  4—  SimBankGen(Banki),  6[1])A^K 
(. Bank'i  4—  SimBankRedraw(Bank\))x('K\(Bank2  4—  SimBankUpdate(Bank'1))x^K\ 
keyi,Sf ,  cf , 

((keyT_i,  iff-i)  SimBankGen(BankT-i,b[T  —  1]))A^, 

((keyT_i,  4-\)  4—  SimBankGen(BankT-i,b[T  —  1]))A^, 

( Bank,T_1  4—  SimBankRedraw(BankT_i))x<yK\  ( Bankp  4—  SimBankUpdate(Bank,T_1))x ^ 
keyT_1,  cf_i,  4-i} 


For  any  w  in  the  support  of  Simulated,  and  for  any  i  G  [T],  fixing  all  ciphertexts  except  the 
i-th  pair,  let  Df(w)  and  D^(w)  be  the  joint  distribution  of  (key  iff)  and  (key  ^4)  (respectively) 
given:  w,  the  remaining  T  —  1  keys  and  ciphertext  pairs,  and  (respectively)  cf  and  (key^cj),  or  cff 
and  (key^cff).  Then  there  exist  distributions  Kff(w),  Cf(w)  and  /Cf(io)-,  Cf(ui)  s.t.  the  following 
holds :8 

The  distributions  Vf(w)  and  T>f(w)  are  both  IuO  with  orthogonality  b[i ]  and  underlying  distri¬ 
butions  Kf(w)  and  Cf(w)  or  K,?(w)  and  C? (w)  (respectively).  With  all  but  5(k)  probability  over 
the  choice  (by  Simulated )  of  the  fixed  values,  the  min-entropies  of  all  these  underlying  distributions 
are  at  least  k  —  0(\(n)). 

5.2  Piecemeal  Matrix  Computations 

Recall  that  we  treat  collections  of  ciphertexts  as  matrices,  where  each  column  of  the  matrix  is 
a  ciphertext.  We  refer  to  the  procedures  in  this  section  as  “piecemeal”,  because  they  access  the 
matrices  by  dividing  them  into  “ pieces' ’  or  “sketches”,  and  loading  each  piece  (or  sketch)  into 
memory  separately.  Each  piece/sketch  is  a  collection  of  linear  combinations  of  the  matrix’s  columns. 
We  refer  to  these  as  pieces  (rather  than  sketches)  throughout  this  section. 

We  present  piecemeal  procedures  for  matrix  multiplication,  for  refreshing  the  key  under  which 
the  ciphertexts  in  a  matrix’s  columns  are  encrypted,  and  for  adding  a  vector  to  the  columns  of  a 
matrix  (we  refer  to  this  as  matrix- vector  addition).  We  show  that  these  procedures  have  several 
security  properties  under  leakage  attacks.  In  all  these  procedures,  no  matrix  is  ever  loaded  into 
memory  in  its  entirety.  Rather,  the  matrices  are  only  accessed  in  a  piecemeal  manner. 

As  an  (important)  example  for  why  this  facilitates  security,  consider  the  rank  of  a  matrix  on 
which  we  are  computing.  If  this  matrix  is  loaded  into  memory  in  its  entirety,  then  a  leakage 
adversary  can  compute  its  rank.  If,  however,  only  “pieces”  of  the  matrix  are  loaded  into  memory 

8Note  that  these  distributions  do  not  depend  on  bi  (they  depend  only  on  w,  on  A,  on  the  T  —  1  remaining 
key-ciphertext  pairs,  and  on  the  additional  i-th  ciphertext  (cf  or  cf  respectively). 
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at  any  once  time,  then  it  is  no  longer  clear  how  a  leakage  adversary  can  compute  the  rank.  In  fact, 
we  will  show  that  (under  the  appropriate  matrix  distribution),  as  long  as  the  matrix  is  accessed  in 
a  piecemeal  fashion,  its  rank  is  completely  hidden,  even  from  a  computationally  unbounded  leakage 
adversary.  This  fact  will  be  used  extensively  in  our  security  proofs.  See  the  subsequent  sections  for 
security  properties  and  proofs. 

PiecemealMM (A,  B ):  multiplies  matrices  A  £  {0,  l}KXm  and  B  £  {0,  l}mxra;  Under  leakage 

Parse:  A  =  [A\, . . . ,  Aa],  where  each  Ai  is  a  k  x  £  matrix,  and  BT  =  [Bf, . . . ,  B^},  where  each  Bj 
is  an  to  x  t  matrix.  Further  parse  each  Bj  =  [Bjl , . . . ,  Bja],  where  each  Bt  j  is  an  t  x  l  matrix. 

1.  For  i  ■£-  1, . . . ,  b: 

(a)  Set  D0  =  0 

(b)  For  j  4—  1, ...  ,a:  Dj  £-  Dj_  i  +  (Aj  x  Bjj);  leakage  on  each  tuple  (Dj_i,  Aj,  Bij) 
separately 

(c)  Ci  ■£-  Da 

2.  Output  the  product  matrix  C  =  [C i, . . . ,  Cb] 

Figure  5:  Piecemeal  Matrix  Multiplication  for 


PiecemealRefresh(key ,  A):  refreshes  the  key  for  matrix  A  £  {0,  l}KXm 
Parse:  A  =  [A\ , . . . ,  Aa\ ,  where  each  Ai  is  a  k  x  i  matrix. 

1.  a  £-  KeyEntGen(lK) 

2.  for  i  £-  1 . . .  a:  A[  ■£-  CipherCorrelate(Ai,  a);  leakage  on  (Ai,a)  for  each  i  separately 

3.  key'  £-  K ey  Refresh  [key ,  a);  leakage  on  (key,  a) 

4.  Output  key  and  the  refreshed  matrix  A!  =  [A\ , . . . ,  A'a] 

Figure  6:  Piecemeal  Matrix  Refresh  for  k,£  £  N 


Piecemeal Add(A,v):  adds  v  £  {0, 1}K  to  each  column  of  A  £  {0,  l}KXm 
Parse:  A  =  [Ai, . . . ,  Aa\,  where  each  At  is  a  k  x  £  matrix. 

1.  for  *  £-  1 . . .  a,  j  <—  1 . . .  t.  At [£]  ■£-  Ai[£\  +  v;  leakage  on  ( Ai,v )  for  each  i  separately 

2.  A!  =  [T'i, . . . ,  R'0] 

Figure  7:  Piecemeal  Matrix  Addition  for  k,£  €  N 


5.3  Piecemeal  Leakage  Attacks  on  Matrices  and  Vectors 

In  this  section,  we  define  “piecemeal  leakage  attacks”  on  matrices.  In  particular,  these  attacks 
capture  the  leakage  that  can  be  computed  via  a  leakage  attack  on  the  piecemeal  matrix  procedures 
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(multiplication,  refresh,  and  matrix- vector  addition).  We  prove  then  that  random  matrices  are 
resilient  to  several  flavors  of  such  piecemeal  attacks. 

Attack  on  a  Matrix.  A  piecemeal  leakage  attack  on  a  matrix,  is  a  multi-source  leakage  attack, 
where  the  sources  are  key  and  (one  or  many)  “pieces”  of  the  matrix.  Recall  that  each  “piece”  here 
is  a  collection  of  linear  combinations  of  the  matrix  columns.  See  Definition  5.6  below.  We  focus 
here  on  the  case  where  the  matrix  is  either  independent  of  key ,  or  has  columns  orthogonal  to  key 
(as  is  the  case  for  a  ciphertext  bank  corresponding  to  underlying  plaintext  bit  0).  The  case  where 
the  columns  have  inner  product  1  with  key  is  handled  similarly. 

We  will  show  that  a  random  matrix  M  is  resilient  to  piecemeal  leakage:  the  leakage  computed 
in  such  an  attack  is  statistically  close  when  (i)  the  columns  of  M  are  all  in  the  kernel  of  key,  ( ii )  M 
is  a  uniformly  random  matrix,  and  (in)  M  is  a  uniformly  random  matrix  of  rank  n  —  1  (independent 
of  key).  Moreover,  this  statistical  closeness  holds  even  if  key  is  later  exposed  in  it’s  entirety.  We 
begin  in  Section  5.3.1  with  a  warmup  for  the  case  of  an  attack  on  a  single  piece  (Lemma  5.8).  We 
then  show  security  for  large  number  of  pieces  in  Section  5.3.2  (Lemma  5.10). 

Definition  5.6  (Piecemeal  Leakage  Attack  on  (key,M)).  Take  a,  k,X,£,  m  €  N.  Let  Lin  = 
(Lini, . . . ,  Ling)  be  a  sequence  of  (one  or  more)  matrices,  where  for  each  Lin.L,  its  columns  each 
specify  the  coefficients  of  a  linear  combination  of  the  rows  of  M.  Thus,  for  M  £  {0,  l}KXm  and 
Lim  €  {0,  l}mx^,  the  matrix  piece  M  x  Lim  is  a  collection  of  t  linear  combinations  of  M’s  columns. 

Let  A  be  a  leakage  adversary,  operating  separately  on  key  £  {0, 1}K  and  on  several  matrices  in 
{0, 1)KX(  (each  matrix  is  M  x  Lini  for  some  i).  We  denote  M’s  output  by: 

AXKAm,LiJkey' M)  “  • AX(lK)[key\{(M  x  Lin i), . . . ,  (M  x  Lina)} 

we  refer  to  M  as  a  “piecemeal  adversary”  operating  on  ( key,M ).  We  omit  k,X ,£,m  and  Lin  when 
they  are  clear  from  the  context. 

Attack  on  a  Matrix  and  Vector.  We  extend  these  results  further,  considering  piecemeal  leak¬ 
age  that  operates  separately  on  key,  and  on  pieces  of  a  matrix  M  (as  before),  each  piece  jointly 
with  a  vector  v.  See  Definition  5.7  below. 

We  show  that,  for  a  matrix  M  with  columns  in  the  kernel  of  key,  the  leakage  computed  in  such 
an  attack  is  statistically  close  when  (i)  the  vector  v  is  in  the  kernel  of  key,  and  (ii)  the  vector  v  is 
not  in  the  kernel  of  key.  Moreover,  this  statistical  closeness  holds  even  if  key  is  later  exposed  in  its 
entirety  (as  above)  and  also  M  is  later  exposed  in  its  entirety.  See  Section  5.3.3  and  Lemma  5.15. 

Definition  5.7  (Piecemeal  Leakage  Attack  on  (key ,  (M ,  v))) .  Take  a,  k,  X,£,m  £  N.  Let  Lin  = 
(Lin\, . . . ,  Lina)  be  a  sequence  of  matrices,  where  for  each  Lint,  its  columns  each  specify  the 
coefficients  of  a  linear  combination  of  the  rows  of  M  as  in  Definition  5.6. 

Let  M  be  a  leakage  adversary,  operating  separately  on  key  £  {0, 1}K  and  on  several  matrices 
in  {0, 1}KX^  (as  in  Definition  5.6),  each  matrix  jointly  with  a  vector  v  £  {0, 1}K.  We  denote  M’s 
output  by: 

AX,l,m,LiSkey->  (M’{7))  -  ^X(lK)ikey\{((M  x  Lini)  °v),...,  ((M  x  Lina)  o  v)} 

we  refer  to  M  as  a  “piecemeal  adversary”  operating  on  (key,  (M,v)).  We  omit  n,X ,£,m  and  Lin 
when  they  are  clear  from  the  context. 
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5.3.1  Piecemeal  Leakage  Resilience:  One  Piece 

We  begin  by  showing  that,  for  a  uniformly  random  key  €  {0, 1}K,  and  a  matrix  M,  given  separate 
leakage  from  key  and  from  a  single  piece  of  the  matrix,  the  following  two  cases  induce  statistically 
close  distributions.  In  the  first  case,  the  matrix  M  is  uniformly  random  with  columns  in  the  kernel 
of  key.  In  the  second  case,  M  is  a  uniformly  random  matrix  of  rank  re  —  1  (independent  of  key). 
By  a  “single  piece”  of  M  we  mean  any  (adversarially  chosen)  collection  of  £  linear  combinations  of 
vectors  from  M,  where  here  we  take  £  =  O.lre.  This  result,  stated  in  Lemma  5.8,  is  a  warm-up  for 
the  results  in  later  sections. 

Lemma  5.8  (Matrices  are  Resilient  to  Piecemeal  Leakage  with  One  Piece).  Take  re,  m  £  N  where 
m  >  re.  Fix  £  =  O.lre  and  A  =  0.05re.  Let  Lin  €  {0,  l}mx<?  be  any  collection  of  coefficients  for  £ 
linear  combinations,  and  A  be  any  piecemeal  leakage  adversary.  Take  Real  and  Simulated  to  be  the 
following  two  distributions: 

Real 
Simulated 
then  A(Real,  Simulated)  <  2 m  •  2~a2K. 

Remark  5.9.  We  note  that,  without  any  leakage  access  to  key  (i.e.  given  only  leakage  from  the 
chosen  piece  of  M),  a  qualitatively  similar  result  to  Lemma  5.8  can  be  derived  from  a  Lemma 
of  Brakerski  et  al.  [BKKV10]  on  the  leakage  resilience  of  random  linear  subspaces.  Their  work 
focused  on  the  more  challenging  setting  where  the  leakage  operates  on  vectors  that  are  drawn  from 
a  low- dimensional  subspace  (e.g.  constant  dimension).  . 

Proof  of  Lemma  5.8.  The  proof  is  by  a  hybrid  argument  over  the  matrix  columns.  For  i  £  {0, . . . ,  m}, 
let  TLi  be  the  i-th  hybrid,  where  the  view  is  as  above  but  using  a  matrix  M  drawn  s.t.  the  first  i 
columns  of  M,  are  uniformly  random  in  the  kernel  of  key,  and  the  last  m  —  i  columns  are  uniformly 
random  s.t.  rank(M)  =  re  —  1.  We  show  that  for  all  i,  A  (TLi,  TLi+ 1)  A  2  •  2~°'2k.  The  lemma  follows 
because  TLq  =  Simulated  and  TLm  =  Real. 

We  show  that  the  hybrids  are  close  by  giving  a  reduction  from  the  task  of  predicting  the  inner 
product  of  two  vectors  under  multi-source  leakage,  to  the  task  of  distinguishing  TLt  and  TLi+\.  Since 
the  inner  product  cannot  be  predicted  under  multi-source  leakage  (by  Lemma  3.7),  we  conclude 
that  the  hybrids  are  statistically  close. 

To  set  up  the  reduction,  first  fix  i.  Draw  a  uniformly  random  matrix  M  £  {0,  l}KXm  of  rank 
re  —  1.  Let  v  be  the  (i  +  l)-th  column  of  M .Let  be  the  matrix  M  with  the  (i  +  l)-th  column 

set  to  0.  Now  draw  key  £  {0, 1}K  s.t  key  is  orthogonal  to  the  first  i  columns  in  M_u+1y 

We  show  a  reduction  from  predicting  the  inner  product  (key,  v)  given  multi-source  leakage  and 
(M_o+1)  x  Lin),  to  distinguishing  TLi  and  TLi+i .  This  is  done  by  running  A(key,M)  on  key  and 
on  the  matrix  M  drawn  above.  The  reduction  computes  M’s  (multi-source)  leakage  on  key  using 
multi-source  leakage  from  key.  M’s  (multi-source)  leakage  from  M  x  Lin  is  computed  using  leakage 
from  v  (since  Lin  and  x  Lin  are  “public”).  Note  now  that  the  joint  distribution  of  (key,  M) 

is  exactly  as  in  TLi.  If)  however,  we  condition  on  the  inner  product  of  key  and  v  being  0,  we  get  that 
the  joint  distribution  of  (key,  M)  is  exactly  as  in  TLi+i.  Thus,  if  M  has  advantage  5  in  distinguishing 
TLi  and  TLi+i,  then  the  reduction  has  advantage  5  in  distinguishing  the  case  that  the  inner  product 
of  key  and  v  is  0  from  the  case  that  there  is  no  restriction  on  the  inner  product. 
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Now  observe  that,  given  (M_o+1\  x  Lin),  the  vector  key  is  a  random  variable  with  min-entropy 
at  least  n  —  £>  0.9 k.  This  is  because  key  is  uniformly  random  under  the  restriction  that  it  is  in  the 
kernel  of  the  first  i  columns  of  M.  The  matrix  piece  X  Lin)  contains  only  i  =  0.1k  vectors, 

and  so  it  cannot  give  more  than  t  bits  of  information  on  key.  Note  also  that,  given  x  Lin), 

the  (i  +  l)-th  column  v  is  independent  of  key,  and  also  v  has  min  entropy  at  least  (k  —  1)  (in  fact 
v  has  high  min  entropy  even  given  all  of 

The  reduction  uses  A  =  0.05k  bits  of  multi-source  leakage,  and  so  by  lemma  3.8  with  all  but 
2-0. 2k  probability,  even  given  the  leakage  key  and  v  are  still  independent  random  sources,  both 
with  min  entropy  at  least  0.7k.  When  this  is  the  case,  by  lemma  3.7  we  know  that,  even  given  key, 
the  inner  product  of  key  and  v  is  2~°'2K-close  to  uniform.  We  conclude  that  5  <  2  •  2_0'2k.  The 
lemma  follows.  9 


5.3.2  Piecemeal  Leakage  Resilience:  Many  Pieces 

In  this  section,  we  show  our  main  technical  result  regarding  piecemeal  matrix  leakage.  We  show 
that  random  matrices  are  resilient  to  piecemeal  leakage  on  multiple  pieces  of  the  matrix  (operating 
separately  on  each  piece).  In  particular,  the  leakage  is  statistically  close  in  the  case  where  the 
matrix  is  one  whose  columns  are  all  orthogonal  to  key  and  in  the  case  where  the  matrix  is  uniformly 
random.  Moreover,  this  remains  true  even  if  key  is  later  exposed  in  its  entirety. 

Lemma  5.10  (Matrices  are  Resilient  to  Piecemeal  Leakage  with  Many  Pieces).  Take  a,  k,  m  €  N, 
where  m  >  k.  Fix  l  =  0.1k,  and  A  =  0.05k/ci.  Let  Lin  =  {Lin\, . . . ,  Lina)  be  any  sequence  of 
collections  of  coefficients  for  linear  combinations,  where  for  each  i,  Lint  €  {0,  l}mx*  has  full  rank 
i.  Let  A  be  any  piecemeal  leakage  adversary.  Take  Real  and  Simulated  to  be  the  following  two 
distributions: 


Real 

Simulated 


{key^KAm,LiJkey^) 


keyER{0,l}K  ,MER{0,l}KXrn'y/i,M[i\€kemel(key) 
key£R{0,l}K  ,M.£R{0,l}KXrn:rank(M)=K—  1 


then  A  (Real,  Simulated)  <  5  a2  ■  2  °-04K/a. 

Proof.  For  i  €  {0, . . . ,  a},  we  denote  Pi  =  M  x  Lint  the  matrix  “piece”  being  leaked  on/attacked  in 
the  i-th  part  of  the  attack.  We  use  Wi  to  denote  the  leakage  accumulated  by  A  up  to  and  including 
the  i-th  attack.  We  will  consider  Vi,  the  conditional  distribution  on  ( key,M ),  drawn  as  in  Real, 
given  the  leakage  Wi.  Namely,  in  Vo  we  have  key  drawn  uniformly  at  random  and  M  is  random 
with  columns  in  kernel(key) .  Note  that  the  random  variables  key  and  M,  when  drawn  by  Vi,  are 
not  independent.  In  particular,  key  and  the  columns  of  M  are  orthogonal.  Let  /Cj  and  M;  be  the 
marginal  distributions  of  Vi  on  key  and  on  M . 


Hybrids.  We  will  prove  Lemma  5.10  using  a  hybrid  argument.  For  i  €  {0,...,a},  we  define 
a  hybrid  distribution  Tii.  Each  hybrid’s  output  domain  will  be  key  €  {0, 1}K  and  leakage  values 
computed  by  A(key,  M). 

For  each  i,  we  define  TL,  by  drawing  (key,  M)  ~  Vo,  and  simulating  the  piecemeal  leakage  attack 
A(key,M).  We  always  use  key  for  computing  the  key  leakage  in  the  attack.  For  leakage  on  the 
j-th  matrix  piece,  however,  we  use  Pfs  drawn  differently  for  each  TLi'. 
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•  For  j  €  {1, . . i},  we  define  Pj  =  (M  x  Lirij). 

•  For  j  €  {i  +  1, . .  .a},  re-draw  Mj  ~  .A/fj-i.  I.e.,  we  re-draw  the  matrix  from  the  current 
marginal  distribution  of  Vj_i  on  M,  independently  of  key.  Define  Pj  =  { Mj  x  Lirij). 

Clearly,  Pa  =  Real,  because  in  Pa  we  never  compute  leakage  on  a  re-drawn  matrix  Mj.  We  will 
show  that  Pq  =  Simulated,  see  Claim  5.11.  Note  that  this  is  non-trivial  because  in  Pq  the  matrix 
M  is  continually  re-drawn  from  Mj  (independently  of  key),  whereas  in  Simulated  the  matrix  M  is 
never  redrawn.  Nonetheless,  Claim  5.11  below  shows  that,  because  the  leakage  operates  separately 
on  key  and  on  M,  these  two  distributions  are  identical. 

Claim  5.11.  Pq  =  Simulated 

Proof  of  Claim  5.11.  Fix  leakage  Wj  for  the  first  j  attacks  on  pieces  of  M .  In  the  distribution  Pq, 
for  the  (j  +  l)-th  matrix  piece,  we  use  Pj+i  =  M]+\  x  Lirij+i,  where  Mj+ i  is  re-drawn  from  the 
marginal  distribution  Adj. 

In  the  distribution  Simulated,  on  the  other  hand,  we  use  Pj+i  =  M  x  Lirij+i,  where  M  is  drawn 
from  A A'j,  the  distribution  of  uniformly  random  M’s  of  rank  n  —  1  (independent  of  key),  given  that 
the  multi-source  leakage  so  far  was  Wj. 

Other  than  this  difference,  the  distributions  are  identical.  Thus,  it  suffices  to  show  that,  for 
every  j  and  every  fixed  leakage  Wj  in  the  first  j  attacks,  we  have  that  Adj  =  Ad'-. 

The  leakage  in  the  first  j  attacks  operates  separately  on  key  and  on  M.  Thus,  we  know  that 
conditioning  the  joint  distribution  Vo  on  Wj,  is  equivalent  to  conditioning  Vo  on  ( key,M )  falling  in 
a  product  set.  Let  S^ey  C  {0, 1}K  and  Sm  C  {0,  1}kx2k  be  the  sets  s.t.  for  all  {key,  M)  €  Skey  x  5m, 
the  leakage  on  the  first  j  pieces  in  a  piecemeal  attack  on  {key,M)  equals  Wj.  Now  we  know  that 
Adj  is  exactly  equal  to  Ado,  conditioned  on  M  falling  in  the  set  5m- 

Similarly,  in  Simulated  the  distribution  Adj  is  the  uniform  distribution  on  rank  k  —  1  matrices, 
conditioned  on  the  leakage  Wj,  i.e.  on  M  falling  in  the  set  Sm-  Since  Ad o  is  uniform  on  rank  k  —  1 
matrices,  for  any  Wj  we  get  that  Adj  =  AA'j.  The  claim  follows.  ■ 

To  complete  the  proof  of  Lemma  5.10,  we  will  show  that  A{Pi,Pi+\)  <  4 m  ■  2~°-04K/a.  The 
lemma  follows  by  a  hybrid  argument.  For  this,  consider  the  joint  distribution  of  key,  and  of 
the  leakage  Wi+i  computed  on  the  first  {i  +  1)  pieces.  We  will  show  that  the  joint  distribution  is 
statistically  close  in  both  hybrids.  This  suffices  to  show  that  the  hybrids  themselves  are  statistically 
close,  because,  for  both  hybrids,  the  leakage  on  pieces  {{i  +  2), . . . ,  a),  and  the  remaining  leakage 
on  key,  can  be  computed  as  a  function  of  {key,  un+i)  (the  same  function  for  both  hybrids). 

In  both  leakage  on  the  first  i  pieces  is  computed  in  exactly  the  same  way.  The 

difference  is  in  leakage  on  the  (i  +  l)-th  piece.  Fixing  the  leakage  Wi  on  the  first  i  pieces,  in  Pi+i  we 
have  Pi+ 1  computed  using  dependent  {key,  M)  ~  V,.  In  Pi  we  use  independent  key  ~  /Q,  M  ~  Adi. 
These  two  different  distributions  yield  different  leakage  w  on  the  (i  +  l)-th  piece. 

Piecemeal  Leakage  from  IuO  Distributions,  key  and  M  drawn  (jointly)  by  V,  are  not  inde¬ 
pendent.  In  general,  for  a  dependant  distribution  V*  on  key  and  M  with  marginal  distributions  /C* 
and  Adi,  leakage  on  {key,  M)  ~  Vi  could  looks  very  different  from  leakage  on  {key  ~  /C*,  M  ~  Adi). 
We  will  show,  however,  that  piecemeal  leakage  resilience  does  hold  in  a  special  case  where  the  joint 
distribution  V*  is  independent  up  to  orthogonality  (IuO,  see  Definition  3.10).  We  will  also  show  it 
holds  when  Vi  is  statistically  close  to  IuO,  as  defined  below. 
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Definition  5.12  (Key-Matrix  cr-Independence  up  to  Orthogonality).  Let  V  be  a  distribution  on 
pairs  ( key,M ),  where  key  £  {0, 1  }K,M  £  {0,  i}kx2k  and  M  is  always  of  rank  re  —  1.  We  say  that 
V  is  a-independent  up  to  orthogonality ,  if  there  exists  distribution  V  that  is  independent  up  to 
orthogonality  and  A(V,  V')  <  a. 

We  will  show  that  piecemeal  leakage  on  an  IuO  distribution  is  statistically  close  to  piecemeal 
leakage  when  key  and  M  are  sampled  from  the  independently  drawn  variant,  see  Claim  5.13  below. 
We  also  show  that  V,  is  (w.h.p  over  in*)  an  IoU  distribution,  see  Claim  5.14.  Statistical  closeness 
of  the  hybrids  22*  and  22*+i  follows. 

Claim  5.13.  Take  a,  re,  m,2,  X  as  in  Lemma  5.10.  Let  V  be  any  distribution  over  pairs  ( key,M ), 
where  key  £  {0, 1}K,  M  £  {0,  l}KXm  and  M  has  rank  re  —  1.  Suppose  that  V  is  IuO,  with  underlying 
distributions  1C  and  M..  Suppose  further  that  V  has  min-entropy  at  least  (re  +  (re  —  1)  •  2re  —  0.15re). 

Let  Lin  €  {0,  l}mx^  be  a  collection  of  coefficients  for  linear  combinations,  specified  by  a  matrix 
of  rank  I.  Let  A  be  any  piecemeal  leakage  adversary.  Take  V  and  F  to  be  the  following  distributions: 

21  (key  ,w)  (key  ,M)~V  ,uu^A(key,M) 

•F  (key ,  w') keyr^lC,M.r^A/t,'w<—A(key,M) 

Take  6  =  (42  •  2~°-05k).  Then  A (D,F)  <  25.  Moreover,  with  all  but  5  probability  over  w  ~  D ,  we 
have  that  A((D\A(key,  M )  =  w),  ( F\A(key ,  M )  =  w))  <  5. 

The  proof  of  Claim  5.13  is  below. 

Claim  5.14.  Take  a,  re,  2,  A,V,  L,A  as  in  Claim  5.13.  Suppose  here  that  V:  (i)  has  min-entropy 
at  least  (re  +  (re  —  1)  •  2re  —  0.15re)  (as  in  Claim  5.13),  and  (ii)  is  a-close  to  independence  up  to 
orthogonality  (see  Definition  5.12).  Define  the  distribution: 

V(ic)  (key ,  Ml) (key  M)rjp.A(key ,m)=w 

and  take  5  =  (42  •  2~0  05k).  For  any  0  <  (3  <  1,  with  all  but  ((3  +  5)  probability  over  w  •£- 
A(key,  M)(key,M)~v  the  case  that  V(rc)  is  ((a/ (3) -\- 5) -close  to  independence  up  to  orthogonality. 

The  proof  of  Claim  5.14  is  below.  We  now  complete  the  proof  of  Lemma  5.10: 

1.  With  all  but  2_0'05k  probability  over  Wi ,  for  all  j  <  i  simultaneously,  the  min-entropy  of  Vj 
is  at  least  re  +  (re  —  1)  •  2re  —  0.15re.  This  is  by  Lemma  3.8,  because  the  min-entropy  of  Vo  is 
re  +  (re  —  1)  •  2re,  and  the  amount  of  leakage  in  the  first  i  <  a  attacks  (leakage  from  both  key 
and  M)  is  less  than  O.lre. 

2.  Take  5  =  (42  •  2_0-05k),/3  =  2_0-04K/a.  We  show  the  following  by  induction  for  j  <  i: 

with  all  but  (2_0-05k  +  j  ■  (5  +  (3))  probability  over  Wi,  we  have  that  Vj  is  (25 / /V)-close  to 
independence  up  to  orthogonality  (and  also  the  min  entropy  bound  of  Item  1  holds).  The 
induction  basis  follows  because  Vo  is  perfectly  independent  up  to  orthogonality.  The  induction 
step  follows  from  Claim  5.14  (and  the  min-entropy  bound  in  Item  1). 

Finally,  we  use  Claim  5.13  to  conclude  that  with  all  but  (2~°-05k  +  i  ■  (5  +  (3 ))  probability  over 
Wi,  the  hybrids  22*  and  22*+ 1  are  (2 5/ f3l  +  2<5)-statistically  close.  In  particular,  this  implies  that 

A(22*,  22*+i)  <  (2~°-05k  +  i  •  (5  +  /?))  +  (26/(3*)  +  25)  <  5 a  •  2~QMK/a 

where  the  second  inequality  assumes  2-/5  is  the  largest  term  in  the  sum  (and  using  i  <  a).  H 
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Proof  of  Claim  5.13.  The  proof  is  by  a  hybrid  argument.  We  denote  P  =  M  x  L.  For  i  £  [a  +  1] 
take  the  i-th  hybrid  Pt  to  be: 


Hi  —  (key,w)M^M,P<-MxL,key~(JC\P[i],...,P[i]},w<^A(key,P) 

i.e.  the  key  is  drawn  from  a  conditional  distribution  on  1C,  conditioning  on  the  first  i  columns  of  P. 
We  get  that  PL®  =  F,  because  key  is  drawn  without  conditioning  on  any  columns  (i.e.  independently 
of  M).  Also  P^  =  T>,  because  key  is  re-drawn  conditioned  on  all  of  P,  which  is  the  same  as  just 
drawing  (key,  M)  ~  V  and  taking  P  =  M  x  L. 

For  each  pair  of  hybrids,  we  bound  A(Pi,  PLi+i).  To  do  so,  consider  the  following  experiment: 
draw  (P[l], . . . ,  P[i])  ~  M  (as  in  both  Pi  and  Pi+ 1).  Fixing  these  draws,  in  Pi  the  distribution  of 
P[i  +  1]  is  an  random  sample  from  Vt  =  ( P[i  +  1]m~M|p[i] pm)-  Similarly,  in  Pi  we  have  that 
key  is  a  random  sample  from  JCi  =  (1C\P[1], . . . ,  P[?j).  In  particular,  note  that  key  is  independent 
of  P[i  +  1], 

We  now  examine  Pf ,  obtained  from  Pi  by  including  also  the  inner  product  of  key  and  P[i  +  1]. 
We  can  also  consider  Pf,  obtained  from  Pi  by  adding  a  uniformly  random  bit: 

Pf  =  (key,  (key,P[i  +  1]},  w)key~K,i,P[i+\}~Vi,(P[i+2],...,P[(])~(M\P[\\,...,P[i+l})),w^A{key,P) 
pf  =  (key,  r  ,w)key~)Ci,P[i+l]~Vi,(P[i+2],...,P[e])~(M\P[i\,...,P[i+l])),w<^A{key,P),r£R{0,l} 

We  will  show  that  A(Pi,  Pi+f)  <  2A (Pf,Pf).  To  show  this,  consider  now  Pi+\.  Again, 
P[i  +  1]  is  an  independent  sample  from  Vt  (as  in  Pf).  Here,  however,  we  have  that  key  depends  on 
P(i  +  1]  and  is  a  sample  from  /Q+i  =  (IC\w,  P[l], . . . ,  P[i\,  P[i  +  1]).  Since  V  is  independent  up  to 
orthogonality,  we  have: 


K-i+ 1  (key ,  -P[l] ,  •  •  -  ,  P\f\ ,  P\i  T  1])  (key,M)^V,P<—  MxL 

=  (key,  P[  1], . . . ,  P[i\,  (key,  P[i  +  1])  =  0 )(key,M)~v,P<^MxL 

given  (key,  P[l], . . . ,  P[i  +  1]),  the  marginal  distributions  of  (P[i  +  2], . . . ,  P[t\)  and  of  w  in  Pi+\ 
are  identical  to  Pi.  Thus,  the  only  difference  between  Pi  and  Pi+\  is  that  in  Pi+\  we  add  an  extra 
condition  on  key  to  be  in  the  kernel  of  P[i  +  1]. 

Re-examining  Pf,  by  definition  Pt  is  the  marginal  distribution  of  Pf  on  (key,w).  We  now 
conclude  also  that  Pi+\  is  the  marginal  distribution  on  ( key,w )  in  Pf  conditioned  on  (key,P[i  + 
1])  =  0.  Thus  A(Pi,Pi+1)  <2A(P+,  Pf). 

It  remains  to  bound  A  (Pf  ,Pf).  We  know  that  in  both  these  distributions,  given  (P[l], . . . ,  P[i ]) 
(without  w),  we  have  that  key  and  P[i  +  1]  are  drawn  independently  and  the  joint  distribution  of 
(key,  P[i  +  1])  has  entropy  at  least  (1.85k  —  i)  >  1.75k.  This  is  simply  by  the  min-entropy  of  V.  By 
Lemma  3.8,  with  all  but  2-0'05k  probability  over  the  choice  of  w,  the  min-entropy  of  (key,  P[i  +  1]) 
given  also  w  (of  length  at  most  0.1k)  is  at  least  1.6k. 

We  conclude,  by  Lemma  3.7,  that  with  all  but  2~°'05k  probability  over  w  ~  Pi,  it  is  the  case 
that  with  all  but  2_0  05k  probability  over  key  conditioned  on  w,  the  inner  product  of  key  and 
P[i  +  1]  (given  (key,w))  is  2~°'05K-close  to  uniform.  In  particular,  when  this  is  the  case,  with  all 
but  2  •  2_0-05k  probability  over  (key,w)  ~  Pi,  we  have  that  the  probabilities  of  (key,w)  by  Pi  and 
by  Pi+\  differ  by  at  most  a  exp(1.5  •  2~°'05k)  multiplicative  factor.  The  claim  follows.  S 
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Proof  of  Claim  5.14 ■  V  is  a-close  to  IuO.  Let  V'  be  an  IuO  distribution  s.t.  A(V,  V')  <  a.  Let  K! 
and  M!  be  the  marginal  distributions  of  V  on  key  and  M  (respectively).  Now  take: 

Z  (key ,  M,  w)  (fcey,M)~V',  w<—A(key,M), 

(key,  1VI ,  w) (key ,  w<—A(key,M'),M.^(A/l'\key,A(key,M)=w) 

Z  ^ey  key^K,' Js/l' ,w-^A(key  ,M')^Ar^{M'\key,A{key,M)=w) 

Let  Z'(w)  and  Z"(w)  be  the  marginal  distributions  of  Z'  and  Z"  (respectively)  on  ( key,M ), 
conditioned  on  A(key,M)  =  w.  Note  that  Z'(w )  is  also  the  conditional  distribution  of  V'  (condi¬ 
tioned  on  w).  By  Claim  5.13,  we  know  that  with  all  but  5  probability  over  w  ^  Z'  we  have  that 
A (Z'(w),  Z" (w ))  <  5.  Claim  5.13  shows  this  is  true  for  the  marginal  distributions  on  (key,  w),  but 
in  Z ’  and  Z" ,  the  matrix  M  is  just  a  probabilistic  function  of  ( key,w ),  and  so  the  bound  on  the 
statistical  distance  holds  also  when  M  is  added  to  the  output. 

We  claim  that  (for  any  w),  the  distribution  Z"(w)  is  (perfectly)  independent  up  to  orthogonality. 
This  is  because  in  Z" ,  the  leakage  w  is  computed  as  multi-source  leakage  on  independently  drawn 
key  and  M .  Thus,  conditioning  Z"  on  w  is  conditioning  Z"  on  (key,  M )  falling  in  a  product  set 
Skey  x  Sm ■  We  know  that  Z"  is  (perfectly)  independent  up  to  orthogonality,  and  so  conditioning 
Z"  on  a  product  set  Skey  x  Sm  will  also  yield  a  distribution  that  is  independent  up  to  orthogonality. 

We  conclude  that,  with  all  but  5  probability  over  w  ~  Z' ,  we  have  that  A(Z'(w),  Z”(w))  < 
5  and  Z"(w)  is  independent  up  to  orthogonality.  Let  Wbad  be  the  set  of  “bad”  w1  s  for  which 
A (Z'(w),  Z"(w ))  >  5.  Since  A(V,  V')  <  a,  we  know  that: 

Pr«j~v  [w  €  Wbad }  <a  +  5 
Pi\o~v  [A (V(w),V'(w))  >  (a/p)\  <  [3 

where  the  second  equation  follows  by  Markov’s  inequality.  We  conclude  (by  a  union  bound,  and 
since  V^tc)  =  Z'(w)),  that  with  all  but  (a  +  (3  +  5)  probability  over  w  ~  V,  we  have  that  V(w )  is 
((a/ (3)  +  (S)-close  to  Z"(w)  and  to  independence  up  to  orthogonality.  H 


5.3.3  Piecemeal  Leakage  Resilience:  Jointly  with  a  Vector 


In  this  section,  we  show  further  security  properties  of  random  matrices  under  piecemeal  leakage. 
We  focus  on  piecemeal  leakage  that  operates  jointly  on  (each  piece  of)  a  matrix  and  a  vector  (and 
separately  on  key).  The  matrix  will  always  have  columns  that  are  (random)  in  the  kernel  of  key. 
We  show  that  the  leakage  is  statistically  close  in  the  cases  where  the  vector  is  and  is  not  in  the 
kernel.  Moreover,  this  statistical  closeness  is  strong  and  holds  even  if  the  matrix  is  later  released  in 
its  entirety.  The  proof  is  based  on  Lemma  5.10  (piecemeal  leakage  resilience  of  random  matrices) 
and  on  a  “pairwise  independence”  property  under  piecemeal  leakage,  stated  separately  in  Claim 
5.16  below. 


Lemma  5.15  (Strong  Resilience  to  Matrix- Vector  Piecemeal  Leakage).  Take  a,n,m  €  N,  where 
rn  >  n.  Fix  l  =  0.1k,  and  A  =  0.01  n/a2 .  Let  Lin  =  (Lin±, . . . ,  Lina )  be  any  sequence  of  collections 
of  coefficients  for  linear  combinations,  where  for  each  i,  Lini  €  {0,  l}mxf  has  full  rank  L  Let  A  be 
any  piecemeal  leakage  adversary.  Take  Real  and  Simulated  to  be  the  following  two  distributions: 


Real 

Simulated 


(key,M,A^man(key,(M,v))) 

[key,M,AXKAml2n(key,(M,v))) 


keyE^O,!}*1  ,MEn{0,l}KXrn-y/i,M[i\£kernel(key),vEiikemel(key) 


keyE^O,!}*1  ,MEn{0,l}KXrn-y/i,M[i\Ekernel(key),vEiikemel(key) 
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then  A  (Real,  Simulated )  <  3a  •  2  °-°Wa. 
Proof.  We  define  the  “midpoint”  distribution: 


V  =  1/2  •  Real  +  1/2  •  Simulated  =  (key,  M,  w  =  A(key,  ( M ,  v)))key,M,veR{ o,i}« 
For  fixed  ( key,M,w ),  we  consider  their  bias: 


bias(key,  M,  w)  = 
And  note  that  (by  definition): 


A  Real[key,  M,  w\  —  Simulated[key ,  M,  w] 


V[key,  M,  w] 


A(Real,  Simulated)  =  K^keyMw^v[\bias(key,M,w)\\/2  (1) 

Thus  we  focus  on  bounding  K^Mw\^H[\bias(key,M,w)\\.  We  will  use  a  “pairwise  independence” 
property  of  matrices  under  piecemeal  leakage. 

Claim  5.16  (Pairwise  Independence  under  Piecemeal  Leakage).  Take  a,  n,m,l,  A,  Lin,  A  as  in 
Lemma  5.16.  Let  F  and  F'  be  the  following  distributions.  In  both  IF  and  F' ,  take  key  €r  {0, 1}K, 
a  matrix  M  {0,  l}KXm  s.t.  all  of  M ’s  columns  are  in  the  kernel  of  key.  Choose  v\ ,  V2  £r  {0, 1}K 
s.t.  A(key,(M,v\)  =  A(key,(M,v 2)). 


F  (ui ,  U2,  61 , 62 ,  A(key ,  (M,  ^l))) key  ,M  ,vi  ,V2  ,h±=(key  ,vp  ,h2={key  ,V2) 

(^1)  h\,  62,  A(key,  (M,  'ai)))/jej/,M,?71 

then  A  (F,F')  <5  =  5 a2  ■  2~°-03K/a. 

The  proof  of  Claim  5.16  is  below. 

We  will  show  that  if  ^(m,w)~h [\bias(key,  M,  ia)|]  is  too  high,  then  we  can  predict  the  inner 
products  of  v\ ,  V2  as  above  with  key  and  distinguish  F  and  F'  (a  contradiction  to  Claim  5.16). 
We  do  this  by  considering  a  distinguisher  VTS  that  gets  (vi,V2,bi,b2,w)  (where  (v\,V2,w)  are 
distributed  as  in  both  F  and  F'),  and  attempts  to  distinguish  whether  61, 62  £  {0, 1}  are  uniformly 
random  (distribution  F'),  or  are  the  inner  products  of  vi,V2  with  key  (distribution  F).  The 
distinguisher  VIS  outputs  1  if  61  =  62  and  outputs  0  otherwise.  By  Claim  5.16,  the  advantage  of 
(any  distinguisher,  and  in  particular  also  of)  VIS  is  bounded  by  5  =  6 a2  •  2_0  03k. 

For  distribution  F' ,  the  bits  61,62  are  independent  uniform  bits,  and  so  the  probability  that 
VIS  outputs  1  is  exactly  1/2.  In  distribution  F,  however,  if  K/Mw\^T>[\bias(key,  M,  io)|]  is  high 
then  VIS  will  output  1  with  significantly  higher  probability  (this  gives  a  bound  on  the  expected 
magnitude  of  the  bias). 

To  see  this,  fix  ( key,M ).  For  a  possible  leakage  value  w  £  {0,  l}a’A,  denote  by  Pkey,M,w  the 
probability  of  leakage  w  given  key  and  M  (for  ( key,M,v )  ~  V).  Conditioning  V  on  ( key,M ), 
the  probability  of  identical  leakage  from  uniformly  random  v\  and  62  is  the  “collision  probability” 
cp(key,  M)  =  we{o  i}a  X  Pkey  M  w-  Conditioning  V  on  ( key,M )  and  identical  leakage  from  v\ 
and  V2,  the  probability  that  the  leakage  is  some  specific  value  w  is  exactly  p\ey  Mw/ cp(key,  M). 
Conditioning  V  on  ( key,M )  and  identical  leakage  w  from  v  1,62,  the  probability  that  the  inner 
products  of  v\  and  V2  with  key  are  equal  and  VIS  outputs  1  is  exactly  1/2  +  2\ bias  (key,  M,  u;)|2 
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(notice  that  the  advantage  over  1/2  is  always  “in  the  same  direction”).  Since  (by  Claim  5.16)  the 
advantage  of  VIS  is  at  most  6,  we  get  that: 

6  >  Ekey.M  [VIS's  advantage  in  outputting  1  given  (key,  M)\ 

=  Ekey,M  Y  (PkeyAf,w/cP(keyiM))  -2\bias(key,Miw)\2 

w£{0,l}aX 

Now  because  cp(key,  M)  >  2_a'A,  we  get  that: 

Ekey,M  Y  Pley,M,W2\bias(key^M^w)\2  <  2“'A  •  5  (2) 

we{o,i}aA 

We  also  have  that: 

2A (Real,  Simulated)  =  E^keyMw^^[\bias{key,M,w)\] 

=  Ekey)M  Y  Pkey,M,w  ■  \bias(key,M,w)\ 
we{o,i}aX 

< 

where  the  last  inequality  is  by  Cauchy-Schwartz.  Putting  this  together  with  Equation  2,  we  get: 

A  [Real,  Simulated )  <  2a'A  •  VS  <  3  a  ■  2_00lK/a 
which  completes  the  proof.  H 

Proof  of  Claim  5.16.  Consider  the  following  distribution  £,  where  key  is  uniformly  random,  M  is 
a  uniformly  random  matrix  with  columns  in  key's  kernel,  and  v\ ,  h/  are  uniformly  random  pair  s.t. 
A(key,  (M,  v\))  =  A(key ,  (M,  v2)): 

£  =  {key,  v1,v2,A{key,  (M,  Ei)))fceyiMefl{o!i}-x  m  :Vi,M  [i]  G  kernel  ( key)  ,v±  ,V2 
Consider  also  the  distribution  P  that  uses  a  uniformly  random  matrix  M  of  rank  ac  —  1 : 

E  (  key ,  V\,V2,  A{key ,  (1VI,  Vl))) key  ,l}KXrlL:rank(AI)=K—l ,v\  ,V2 

We  will  show  that: 

1.  A{£,P)  <  5 a2  ■  2_0-03K/a,  this  will  follow  by  piecemeal  leakage  resilience  (Lemma  5.10). 

2.  In  P,  the  advantage  in  distinguishing  {{key,v i),  (key,v2))  from  uniformly  random  unbiased 
bits  is  bounded  by  2_0-1k+3.  I.e.,  in  P  the  inner  products  of  v\  and  v2  with  key  are  (close  to) 
pairwise  independent. 

The  claim  will  follow  from  the  two  items  above  (we  assume  2_01k+3  <  a?  ■  2~°-03K/a). 
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Item  1,  8  and  T~L  are  close.  Let  A  be  an  adversary  for  which  we  get  e  =  A(£,  Ti).  Given  A.  we 
show  a  piecemeal  leakage  attack  A!  on  (key,  M )  a  la  Lemma  5.10.  We  show  that  if  A  has  advantage 
e  in  distinguishing  8  and  H,  then  A!  has  advantage  e'  (where  e'  >  e-2~a'x)  in  distinguishing  whether 
M  is  in  key's  kernel  or  M  is  independent  of  key.  By  Lemma  5.10,  we  conclude  a  bound  on  s'  and 
(through  it)  on  e. 

The  piecemeal  leakage  attack  A !  proceeds  as  follows.  The  adversary  chooses  two  uniformly 
random  vectors  V\,V2  {0,  1}k.  It  then  computes  piecemeal  leakage  A(key,  (M,  v\)),  and  also 

computes  whether  A(key ,  (M,  vi))  =  A(key ,  (M,  V2 ))  (for  the  randomly  chosen  v\,V2).  This  requires 
(A  +  1)  bits  of  piecemeal  leakage  from  key  and  (each  piece  of)  M  (it  takes  A  bits  to  determine  the 
leakage  from  each  piece  vi  and  an  extra  bit  to  tell  whether  the  leakage  on  V2  is  identical).  If  the 
leakage  from  v\  and  V2  is  identical,  we  output 

A' (key,  M)  =  (v1,v2,A(key,(M,v1)) 

Otherwise,  we  output  A'(key,M )  =_L.  Observe  now  that,  conditioning  on  A(key,(M,v\ ))  = 
A(key,  (M,v 2)),  we  have  that  the  output  of  A!  on  M  with  columns  in  key's  kernel  (together  with 
key )  is  exactly  the  distribution  8.  The  output  of  A!  on  M  that  is  independent  of  key  (conditioned 
on  identical  leakage  from  v\ ,  V2 ,  and  together  with  key )  is  distributed  exactly  as  7~L.  In  both  cases, 
when  the  leakage  from  V\,V2  is  not  identical,  the  output  is  simply  _L.  We  conclude  that  the  statis¬ 
tical  distance  A  between  the  output  of  A!  in  both  cases  (M  in  the  kernel  and  independent  M )  is 
at  least  e  multiplied  by  the  probability  that  the  leakage  on  v\  and  V2  is  identical  (say  w.l.o.g.  we 
refer  to  the  “leakage  collision”  probability  for  M  in  the  kernel). 

For  any  fixed  ( key,M ),  the  probability  that  we  get  identical  leakage  on  v\  and  V2  chosen 
uniformly  at  random  is  at  least  the  inverse  of  the  total  amount  of  possible  leakage  values.  I.e.  at 
least  2~a'x.  This  gives  a  lower  bound  on  e'  as  a  function  of  e.  By  Lemma  5.10  we  also  have  an 
upper  bound  on  e' .  Putting  these  together: 

e  .  2~a  X  <  e'  <  5 a2  •  2~°'04k 


we  conclude  that: 

A (S,M)  <  5 a2  •  2-0'04k  •  2a'x  =  5 a2  ■  2~omK 

Item  2,  'H  is  pairwise  independent.  Consider  the  piecemeal  leakage  in  'H  as  a  multi-source 
leakage  attack  on  key  and  on  (v\,  V2)  (chosen  conditioned  on  v\  and  V2  yielding  the  same  leakage). 
For  any  fixed  M,  the  amount  of  leakage  from  key  in  the  attack  is  bounded  by  0.01  n/a.  In  particular, 
by  Lemma  3.8  we  have  that,  given  the  leakage,  with  all  but  2_0,1k  probability,  key  is  an  independent 
sample  in  a  source  with  min-entropy  at  least  0.85k. 

We  now  consider  (v\,V2).  We  claim  that  (for  any  fixed  (key,  M ))  with  all  but  2~°'1k  probability 
over  the  choice  of  vi,V2  yielding  the  same  leakage,  the  set  of  vectors  yielding  the  same  leakage  as 
v\  and  V2  is  of  size  at  least  2°’85k.  To  see  this,  for  a  vector  v,  let  S(v)  be  the  set  of  vectors  that 
give  the  same  leakage  as  v.  Let  Sbad,  be  the  set  of  all  vectors  v  for  which  S(v)  is  of  size  less  than 
2~ o.85k.  gy  gemma  3.8  we  get  that: 

a=  Pr  [v€Sbad}<  2~°-lK 

The  probability  that  vi,V2  drawn  s.t.  their  leakage  is  identical  both  land  in  Sbad  is  at  most 
a2  divided  by  the  total  probability  that  the  leakage  from  uniformly  random  vi,V2  is  identical  (the 
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“collision  probability”).  The  total  leakage  is  of  bounded  length  a  ■  A,  so  the  collision  probability  is 
at  least  2~a'x.  We  conclude  that: 


Pr 

vi  ,V2&r{0 ,1}k  :A(key  ,(M  ,v\))=A(key  ,(M  A2)) 


[vi,V2  G  Sbad }  <  a2  •  2a'x 


<  2 


-0.1k 


We  conclude  that  with  all  but  2  •  2^°'lK  probability,  given  the  leakage,  the  random  variables 
key.  v\ ,  V‘2  are  independent  and  each  of  min  entropy  at  least  0.85k.  By  Lemma  3.7,  we  conclude 
that  the  joint  distribution  of  inner  products  of  v\  and  v 2  with  key  is  at  statical  distance  2^01k+3 
from  uniformly  random  (or  pairwise  independent).  | 


5.4  Piecemeal  Matrix  Multiplication:  Security 

In  this  section  we  use  security  of  random  matrices  under  piecemeal  leakage  to  prove  several  security 
properties  for  piecemeal  matrix  multiplication.  These  will  serve  as  building  blocks  for  proving  the 
security  of  the  ciphertext  bank  as  a  whole  (see  the  lemmas  in  Section  5.1).  The  proofs  follow  from 
the  lemmas  above,  and  are  omitted. 

Lemma  5.17.  Take  K,m,n  G  N  s.t.  m,n  >  k.  Set  £  =  0.1k  and  leakage  bound  A  =  0.01k-  ( £/m )2 . 
Let  A  be  any  piecemeal  adversary  and  A!  any  leakage  adversary.  Let  V  and  F  be  the  following  two 
distributions,  where  in  both  cases  we  draw  key  Gr  {0, 1}K,  x  Gr  {0,  l}m  and  B  Gr  {0,  l}mxn  s.t. 
the  columns  of  B  are  all  in  the  kernel  of  x  and  with  parity  1. 

V  =  {key,  C,w^~  AxKAm  Lin{key ,  A), 

A,x{w,  x,  B)[key,  C  G-  PiecemealMM (A,  B)])AeR{0)1}KXm.Wit{keyA[{])=0 

J~  (key,  C,  w  i  AK^  rn  ^n(key,Af, 

A'x(w,  x,  B)[key,  C  <—  PiecemealMM  (A,  B)])AeR{0)1}KXn.Vi:{key^ A[i])=»p] 

then  A (V,F)  =  exp(— P(k)). 

Lemma  5.18.  Take  K,m,n  G  N  s.t.  m,n  >  k.  Set  £  =  0.1k  and  leakage  bound  A  =  0.01k-  ( £/m )2. 
Let  A  be  any  (computationally  unbounded)  leakage  adversary.  Let  V  and  T  be  the  following  two 
distributions,  where  in  both  distributions  key  Gr  {0, 1}K,  x  G_r  {0,  1}2k,  A  G_r  {0,  l}KXm  s.t.  the 
i-th  column  of  A  has  inner  product  x[i\  with  key: 

V  =  (key,  A,  w  <-  AxAm  Lin(key,  A), 

A'x(w)[key,  c  G-  PiecemealMM  (A,  ?")])refl{o,i}"»<i:(ei^])=i>(a-,r)=o 
T  =  (key,A,w  g-  AxAm  Lin(key,A), 

A'X(w)[key,  c  G-  PiecemealMM  (A,  r)])?eR{0tl}mx  i:(ffi<f[i])=i,<x,f)=1 
then  IS.(V,F)  =  exp(— P(k)). 

Lemma  5.19.  Take  K,m,n  G  N  s.t.  m,n  >  k.  Set  £  =  0.1k  and  leakage  bound  A  =  0.01k-  ( £/m )2. 
Let  A  be  any  (computationally  unbounded)  leakage  adversary.  Let  V  and  F  be  the  following  two 
distributions,  where  in  both  distributions  key  Gr  {0, 1}K  and  A  Gr  {0,  l}KXm.-9 

V  =  (key,C,Ax(key,A)[key,C^-  PiecemealMM (A, B)])BeR{01}mXn.Vit(BBT[{]=1 

F  =  (key,C,Ax(key,A)[key,C^~  PiecemealMM (A, B)})BeR{01}mxn:rank(B)=m_iyit(BBT[{l=1 

9In  both  distributions,  we  give  A  complete  and  explicit  access  to  key  and  A.  The  piecemeal  leakage  attack  here 
is  on  B ,  which  has  different  distributions  in  the  two  cases. 
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then  A (V,F)  =  exp(— fi(re)). 


5.5  Ciphertext  Bank  Security  Proofs 

We  now  prove  Lemmas  5.1,  5.2,  5.3 , 5.4  and  5.5  from  Section  5.1  (Lemma  5.1  is  the  most  technically 
involved).  These  Lemmas  consider  leakage  produced  in  an  attack  on  a  real  or  simulated  sequence 
of  T  ciphertext  generations.  In  proving  statistical  closeness  of  the  leakage,  we  will  use  both  the 
simulated  views  and  additional  hybrid  views.  We  compute  these  views  by  running  the  T  generations, 
under  the  leakage  attack  of  A,  using  biased  random  coins. 

Internal  Variables.  We  will  use  several  internal  variables  as  we  run  these  T  generations.  For  the 
t-tli  generation  (where  i  goes  from  0  to  T—  1):  (fcer/j,  Cf)  denote  the  bank  before  the  i-th  generation, 
with  underlying  plaintexts  Xj.  The  randomness  used  to  generate  the  i-th  output  ciphertext  is  ft, 
the  matrix  used  to  refresh  the  bank  is  Ri,  and  the  key  refresh  value  is  ct*.  We  use  D{  to  denote  the 
intermediate  ciphertext  in  the  i-th  generation  after  key  refresh,  but  before  multiplication  with  Ri. 
The  output  ciphertext  of  the  i-th  generation  is  c)  (the  output  key  is  key  5). 

Proof  of  Lemma  5.1.  We  prove  here  the  case  that  6  =  0,  the  case  b  =  1  is  similar.  Recall  that  Real  is 
the  view  of  A  given  “real”  generations  of  ciphertexts,  using  a  bank  of  ciphertexts  whose  underlying 
plaintexts  are  0,  and  generating  ciphertexts  whose  underlying  plaintexts  are  0.  Simulated  is  a 
view  generated  using  a  bank  of  ciphertexts  whose  underlying  plaintexts  are  uniformly  random,  but 
choosing  plaintexts  using  biased  randomness  so  that  their  underlying  plaintexts  are  always  0.  The 
proof  of  statistical  closeness  uses  a  hybrid  argument  as  follows. 

We  define  hybrid  views  {Rt}  for  t  G  {0, . . . ,  T  +  1}.  The  output  of  each  hybrid  is  T  tuples, 
one  for  each  ciphertext  generation,  each  consisting  of  a  key,  a  ciphertexts,  and  a  leakage  value. 
We  compute  the  hybrids  views  by  running  the  T  generations,  under  the  leakage  attack  of  A,  using 
biased  random  coins.  We  specify  the  distribution  of  each  of  the  internal  variables  described  above, 
and  these  specify  the  hybrid  view  on  the  outputs  and  leakage  from  the  T  generations. 

When  generating  Lit,  for  t  >  0  we  initialize  (key0,Co)  as  in  Simulated.  In  Rq  we  initialize 
( key0,Co )  as  in  Real.  We  then  run  T  ciphertext  generations  under  .A’s  leakage  attack.  The  key 
refresh  value  er;  is  always  uniformly  random.  For  the  i-th  generation,  where  i  <  t,  we  choose  f 
uniformly  at  random  s.t.  it  has  odd  parity  and  is  in  kernel{xi).  For  i  >  t,  we  choose  r)  to  be 
uniformly  random  with  odd  parity  (and  no  further  restrictions).  For  i  (t  —  1),  we  use  a  uniformly 
random  Ri  whose  columns  have  odd  parity.  For  i  =  (t  —  1),  we  use  a  uniformly  random  Ri  whose 
columns  have  odd  parity  and  are  in  kernel(xi).  This  completes  the  hybrids’  specification. 

By  construction,  we  get  that  Rq  =  Real  and  Rt+2  =  Simulated.  It  remains  to  show  that,  for  all 
t,  A(Rt,Rt+i )  =  exp(— kl(rt)).  We  show  this  here  for  2  <  t  <  T  (the  borderline  cases  are  handled 
similarly).  We  use  an  intermediate  distribution  R't,  which  operates  as  Rt,  except  that  it  chooses 
a  xt  vector  uniformly  at  random  (recall  that  in  Rt  the  columns  of  Ct  are  all  in  kernel(key)) .  It 
then  chooses  f%  and  the  columns  of  Rt  to  be  uniformly  random  with  odd  parity  and  in  kernel(xt) 
(whereas  in  Rt  these  were  uniformly  random  with  odd  parity  and  no  further  restriction). 

Claim  5.20.  A(R't,Rt+i)  =  exp(— Ll(n)) 

Proof.  The  differences  between  R't  and  Rt+i  are:  (i)  the  distribution  of  ft- 1  and  the  columns  of 
Rt- 1:  they  are  uniform  (with  odd  parity)  in  Rt+i,  but  in  R't  they  are  all  in  kernel  (xt- 1),  ( ii )  in 
R't  we  have  that  the  columns  of  Ct  are  orthogonal  to  keyt,  whereas  in  Rt+i  they  are  uniformly 
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random,  and  (in)  the  distribution  of  rt  and  the  columns  of  Rt:  they  have  odd  parity  in  both  Rt+ 1 
and  'H!t,  but  in  T~Lt+ 1  they  are  orthogonal  to  xt  that  has  the  plaintext  bits  encrypted  in  Ct ,  whereas 
in  R't  they  are  orthogonal  to  a  uniformly  random  xt  that  is  independent  of  ( keyt ,  Ct). 

We  reduce  the  security  game  of  Lemma  5.17  to  distinguishing  these  two  cases.  There,  a  vector  x 
is  chosen  uniformly  at  random.  A  matrix  A  either  has  columns  orthogonal  to  key,  or  has  uniformly 
random  columns  whose  inner  products  with  key  equal  the  bits  in  x.  This  A  is  multiplied  by  B  with 
columns  in  the  kernel  of  x.  To  reduce  the  game  of  Lemma  5.17  to  distinguishing  R)  and  Rt+h  we 
put  key  as  keyt,  A  as  Ct,  x  as  Xf,  and  B  as  Tit. 

We  begin  by  showing  that  leakage  from  the  f-th  generation  on,  together  with  all  keys  and 
ciphertexts  created  in  all  generations,  is  statistically  close  in  both  hybrids.  The  leakage  from  the 
f-th  generation  takes  as  input  the  keys  and  ciphertexts  produced  in  prior  iterations,  and  so  for 
each  i  €  {0, . . . ,  t  —  1},  we  pick  (keyt,  ct)  uniformly  at  random  (independent  of  ( keyt ,  Ct))  s.t.  they 
have  inner  product  0.  We  also  choose  a  uniformly  random  correlation  value  at..  Note  that  the 
distribution  of  these  key-ciphertext  pairs,  in  conjunction  with  ( keyt,Ct )  set  as  above,  is  exactly  as 
in  R't  and  Rt+\  (respectively,  depending  on  the  distribution  of  key  and  A  for  the  security  game  of 
Lemma  5.17). 

Using  the  above  reduction,  we  conclude  from  Lemma  5.17  that  the  leakage  from  the  t- th  genera¬ 
tion,  together  with  ( keyt ,  ct ,  at,  Ct+ 1)  (and  the  list  of  key-ciphertext  pairs  from  earlier  generations), 
is  statistically  close  when  the  random  variables  are  drawn  as  in  R't  and  Rt+ 1-  We  can  then  use 
these  to  generate  the  leakage  and  key-ciphertext  pairs  for  generations  (t  +  1)  and  up  (these  are  just 
a  function  of  (keyt,at,Ct+ 1)). 

We  need,  however,  to  also  generate  the  leakage  for  the  ciphertext  generations  that  precede  the 
f-th.  Recall  that  the  (keyset)  key-ciphertext  pairs  for  all  iterations  i  <  t  were  already  chosen  and 
fixed  above.  We  compute  the  leakage  from  these  iterations  using  piecemeal  leakage  from  ( keyt ,  Ct). 
In  fact,  for  i  €  {0, . . . ,  t  —  3}  the  leakage  is  independent  of  ( keyt ,  Ct):  we  simply  choose  all  of  the 
randomness  for  these  generations  independently  of  ( keyt ,  Ct).  For  generations  {0, . . . ,  f  —  2},  each 
Ci  is  sampled  uniformly  at  random.  The  at  values  are  specified  by  key^  ©  at  =  keyi+i,  and  these 
in  turn  (together  with  the  Ci  s)  specify  the  Di  key-refreshed  banks.  The  Rt  matrices  are  uniformly 
random  s.t.  their  columns  have  odd  parity  and  multiplying  Di  by  Rj  yields  Ci+  i  •  r%  s  are  uniformly 
random  s.t.  they  have  odd  parity  and  Cj  x  f)  =  q.  This  completely  specifies  the  randomness  for 
all  iterations  i  €  {0, . . .  (f  —  3)},  and  we  can  compute  the  leakage  from  those  iterations  using  these 
values,  independently  of  ( keyt,Ct )■  Note  that  the  randomness  for  iterations  t  —  2  and  t  —  1  will 
depend  on  ( keyt ,  Ct),  and  so  leakage  from  those  iterations  is  not  independent,  and  will  be  computed 
as  follows  using  piecemeal  leakage  from  ( keyt,Ct )• 

For  the  (t  —  l)-th  generation,  we  choose  Dt— i  uniformly  at  random.  The  variable  at- 1  is  a 
function  of  keyt  (can  be  accessed  via  leakage)  and  of  keyt_1  (which  is  fixed  and  public).  The 
ciphertext  bank  Ct- 1  is  a  function  of  Dt- 1  and  of  at- 1-  I.e.  of  public  information  and  of  (leakage 
from)  keyt-  The  variable  ft- 1  is  a  function  of  Ct- i  and  ct-i,  i.e.  of  public  information  and  (leakage 
from)  keyt-  The  only  remaining  variable  which  is  not  specified  for  iteration  t  —  1  is  Rt-i-  We  will 
show  below  how  to  compute  the  needed  (piecemeal)  leakage  from  Rt-i  using  Dt- 1  and  piecemeal 
leakage  only  from  Ct-  Given  this  (see  below),  we  conclude  that  leakage  from  each  sub-computation 
in  the  (f  —  l)-th  generation  can  be  computed  via  piecemeal  leakage  from  ( keyt ,  Ct). 

To  compute  each  piece  of  Rt- 1  used  in  the  piecemeal  matrix  multiplication,  we  observe  that 
it  suffices  to  use  explicit  access  to  all  of  Dt- 1  (a  “public”  uniformly  random  matrix),  together 
with  piecemeal  leakage  from  Ct-  We  use  here  the  fact  that  the  pieces  of  Rt-i  that  are  needed  for 


47 


Approved  for  Public  Release;  Distribution  Unlimited. 

621 


simulating  matrix  multiplication  are  all  disjoint.  Note  that,  in  particular,  the  distributions  of  Rt-i 
that  we  will  get  in  the  scenarios  of  Lemma  5.17  are  quite  different  (as  they  should  be). 

Finally,  we  also  need  to  compute  leakage  from  the  (t  —  2)-th  generation.  Here  we  need  to  specify 
at- 2,  which  is  a  function  of  keyt_2  and  keyt_±:  i.e.,  we  can  access  is  via  leakage  from  keyt.  This 
also  specifies  Dt- 2-  Finally,  for  Rt- 2  we  use  Dt- 2  and  Ct- 1,  which  can  both  be  accessed  via  leakage 
from  keyt. 

In  conclusion,  we  used  a  piecemeal  attack  on  ( keyt ,  Ct)  to  generate  the  key-ciphertext  pairs  and 
leakage  up  to  the  t-th  generation,  and  an  attack  as  in  Lemma  5.17  to  generate  the  leakage  from  the 
t-th  generation  on.  This  yielded  the  views  R't  and  Rt+i-  By  Lemma  5.17  we  conclude  that  these 
views  must  be  statistically  close.  M 

Claim  5.21.  A (Rt,R't)  =  exp(— H(k)) 

Proof.  The  only  difference  between  the  hybrids  is  in  the  distribution  of  Rt  (in  the  t-th  generation). 
We  reduce  the  attack  game  of  Lemma  5.19  to  distinguishing  the  two  cases.  To  do  so,  we  generate 
(key^  ct,  Ct,  wf)^  identically  as  in  both  views.  We  put  keyt+\  =  key ,  Dt  =  A,  and  Rt  =  B. 

Now  consider  the  i-th  matrix  update  in  Rt  or  R't,  performed  via  piecemeal  multiplication  of  Dt 
with  Rt .  In  Rt  we  have  a  uniformly  random  Rt  whose  columns  have  odd  parity,  and  in  R't  we  place 
the  additional  restriction  that  the  columns  are  all  orthogonal  to  kernel{xt)'.  i.e.  they  are  all  in  a 
(random)  subspace  of  dimension  (2 k  —  1).  By  Lemma  5.19,  the  leakage  obtained,  together  with 
(keyt+i,Ct+ 1),  is  statistically  close  in  both  cases.  In  both  views,  we  can  create  the  leakage  from 
later  rounds  as  a  function  of  (keyt+1,Ct+ 1)  (the  same  function  in  both  cases).  We  can  also  create 
the  leakage  in  the  earlier  rounds  as  a  function  of  Ct,  keyt  as  in  Claim  5.20  (here  this  is  even  easier, 
because  we  have  explicit  access  to  both).  H 


Proof  of  Lemma  5.2.  We  prove  here  the  case  that  6  =  0,  the  case  6  =  1  is  similar.  Recall  that 
Simulated'  and  Simulated "  are  two  simulated  views  of  A  on  a  sequence  of  T  simulated  generations, 
both  using  a  bank  of  ciphertexts  whose  underlying  plaintexts  are  all  uniformly  random.  The  views 
differ  only  in  that  the  plaintexts  underlying  the  ciphertexts  that  are  generated,  b'  and  b" ,  might  be 
different.  The  proof  of  statistical  closeness  uses  a  hybrid  argument  and  follows  below. 

We  define  hybrid  views  {Rt}  for  £  G  {0, ... ,  T}.  The  output  of  each  hybrid  is  T  leakage  values, 
one  for  each  ciphertext  generation.  We  compute  the  hybrids  views  by  running  the  T  generations, 
under  the  leakage  attack  of  A,  using  biased  random  coins.  We  will  use  the  internal  variables 
described  above  as  we  run  these  T  generations.  When  generating  Rt,  we  initialize  (key0 ,  Co)  using 
SimBanklnit  (so  the  ciphertexts  in  the  bank  are  uniformly  random).  In  Rt,  for  all  i,  in  the  i-th  call 
to  SimBanklnit,  we  use  uniformly  random  a%  and  Rt  whose  columns  have  parity  1.  For  i  <  t,  we 
choose  rt  uniformly  at  random  s.t.  its  parity  is  1  and  the  ct  produced  has  inner  product  b'[i\  with 
key,.  For  i  >  t,  we  choose  rt  similarly,  except  its  inner  product  with  key,  is  b"\i\.  This  completes 
the  specification  of  the  hybrids. 

By  construction,  we  get  that  Rq  =  Simulated "  and  Rt  =  Simulated' .  It  remains  to  show  that, 
for  all  t,  A(Rt,Rt+i)  =  exp(— Q(k)).  This  follows  from  Lemma  5.18.  The  Lemma  shows  that  the 
leakage  obtained  in  the  f-th  generation,  together  with  (keyt+i,  Ct+ 1),  is  statistically  close  in  Rt  and 
Rt+i-  In  both  views,  we  can  create  the  leakage  from  later  rounds  as  a  function  of  (keyt+\,Ct+ 1) 
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(the  same  function  in  both  cases).  We  can  also  create  the  leakage  in  the  earlier  rounds  using  a 
piecemeal  leakage  attack  on  ( keyt,Ct ),  as  done  in  Claim  5.20  above.  £ 

Proof  of  Lemma  5.3.  The  distribution  V  of  (( key0, . . . ,  keyT_1),  (co, . . . ,  ct-i))  in  Simulated  (with¬ 
out  any  leakage)  is  IuO,  with  orthogonality  b  and  underlying  distributions  /C  and  C  on  keys  and 
ciphertexts:  each  key  and  ciphertext  in  the  underlying  distributions  is  uniformly  and  independently 
random.  Now,  observe  that  the  ciphertext  banks  in  Simulated  are  uniformly  random,  independent 
of  the  keys  and  ciphertexts.  Thus,  we  can  compute  the  leakage  from  all  T  generations  as  a  (ran¬ 
domized)  multi-source  function  operating  on  the  ciphertext  banks  and  separately  on  the  keys  and 
separately  on  each  ciphertext.  We  conclude  by  Lemma  3.11  that  for  each  i  the  distribution  T>i{w) 
is  indeed  IuO,  with  orthogonality  b[i]  and  with  underlying  distributions  /Cj(tc)  and  Ci(w)  that  do 
not  depend  on  b[i\.  The  entropy  bounds  on  each  key  and  ciphertext  (given  w )  follow  by  Lemma 
3.8. 

We  note  that  independence  up  to  orthogonality  and  high  entropy  hold  even  given  the  explicit 
lists  of  ciphertexts  in  the  bank  (in  all  calls),  as  these  are  just  uniformly  random  matrices,  and  even 
given  the  random  coins  used  to  compute  leakage  from  the  target  generations  (given  the  ciphertext 
bank  and  the  target  ciphertext).  £ 


6  Safe  Computations 

In  this  section  we  present  the  SafeNAND  procedure,  see  Section  2.2  for  an  overview.  The  (simpler) 
treatment  of  duplications  gates  is  omitted. 

This  section  is  organized  as  follows:  the  SafeNAND  procedure  and  its  security  properties  are 
in  Section  6.1.  This  procedure  uses  a  leakage-resilient  permutation  procedure,  Permute,  which 
is  presented  and  proved  secure  in  Section  6.2.  We  then  use  Permute’’ s  security  in  the  proof  of 
SafeNAND’ s  security,  which  follows  in  Section  6.3. 

6.1  Safe  Computations:  Interface  and  Security 

In  this  section  we  present  the  procedure  for  safely  computing  NAND  gates.  The  full  procedure  is 
in  Figure  8.  Correctness  follows  from  the  description  (see  the  introduction).  For  security,  we  show 
that  a  view  of  the  NAND  computation  can  be  simulated,  given  only  the  output  (and  the  underlying 
distributions  of  the  input  keys  and  the  input  ciphertexts).  This  is  formalized  in  Lemma  6.1.  See 
the  subsequent  sections  for  details  of  the  Permute  procedure  and  the  proof  of  Lemma  6.1. 

Security  of  SafeNAND.  We  provide  a  simulator  for  producing  the  leakage  on  the  SafeNAND 
procedure,  when  the  inputs  to  SafeNAND  are  chosen  from  an  IuO  distribution.  The  simulator 
is  given  a and  the  underlying  distributions  for  the  which  the  SafeNAND  inputs  were  drawn. 
It  outputs  a  complete  view  of  the  leakage  from  SafeNAND .  This  includes  the  leakage  from  the 
Decrypt  operation  (which  loads  keys  and  ciphertexts  into  memory  simultaneously).  The  security 
claim  is  below  in  Lemma  6.1.  We  note  that  the  SafeNAND  simulator  is  not  efficient,  its  running 
time  might  be  exponential  in  that  of  the  leakage  adversary.  The  descriptions  of  the  underlying 
input  distributions  themselves  might  already  be  of  exponential  size.  This  does  not  pose  a  problem, 
because  the  security  of  our  main  construction  is  statistical,  and  we  never  use  the  SafeNAND 
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SafeNAND(cii,  keyi,  Ci,  aj,  key^Cj,  keyk,  ck):  Safe  NAND  computation 

1.  Correlate  the  ciphertexts  to  a  new  key.  Pick  a  new  key  key  4—  KeyGen(  1K) 

(t i  4-  keyi  ®  key ,  aj  4—  keyj  ©  key,  ak  4—  keyk  ©  key 

c'  4—  Cipher  Correlate  (ci,  a  i),  c'-  4—  Cipher  Correlate(cj,  a j),  c'k  4—  CipherCorrelate(ck,ak ) 
leakage  on  [( keyt,<Ji ),  (key^cjj),  ( keyk,ak ),  (c),^),  (ck,crk)\ 

2.  c"  <-  4  ©  (ai,  0, . . . ,  0),  c"  <-  ct  ©  (a^,  0, . . . ,  0) 

C  4-  (Sk,  ?k  ©  c"  dk  ©  c",  Sk  ©  c"  ©  S!  ©(1,0,...,  0)) 
leakage  on  ciphertexts 

3.  (K1  ,C')  4—  Permute(key,C) 
leakage  from  Permute  (see  below) 

4.  Decrypt  the  four  ciphertexts  in  C"  using  the  four  keys  in  K' .  If  there  is  one  0  plaintext  in 
the  results,  then  output  ak  -4-  0.  Otherwise,  output  ak  4-  1 

leakage  on  C'  and  K'  (jointly) 

Figure  8:  SafeNAND  procedure.  The  Permute  procedure  is  in  Figure  9. 


simulator  for  the  (efficient)  SimEval  simulation  procedure,  only  for  creating  hybrid  distributions  in 
the  security  proof. 

Lemma  6.1.  There  exist:  an  exponential  time  simulator  SimNAND ,  a  leakage  bound  A (k)  =  £i(k), 
and  a  distance  bound  5(k)  =  negl(fv)  s.t.  for  every  k  G  N  and  leakage  adversary  A: 

Let  V  be  a  distribution  on  two  3-tuples:  a  key-tuple  (key ^  key j,  key k)  G  {0,  1}3xk,  and  a 
ciphertext-tuple  ( Ci,Cj,ck )  G  {0,  1}3xk.  Suppose  that  V  is  IuO  with  orthogonality  (bi,bj,bk)  G 
{0,  l}3.  Let  V ’s  underlying  distributions  on  the  key-tuple  and  on  the  ciphertext-tuple  be  1C  and  C. 
I.e.  V  =  JC  -1 -(bi,bjtbk)  C-  Suppose  further  that  H^K.),  H^C)  >  3k  —  0(X(k)). 

For  any  ( ai,aj )  G  {0,  l}2,  take: 

Real  =  (  [ak  <—  SafeNAND  (a* ,  keyt ,  q  ,  aj ,  key  ,• ,  Cj ,  keyk ,  ck )] ) 

\  /  W*eyi, key j, key k),{ci,Cj,ck))~V 

Simulated  =  (SimNAND(ai,aj,ak,JC,C))ak<_^a.9b^  NAND  (aj®bj))®bk) 
then  A  (Real,  Simulated)  <  5(k). 

6.2  Leakage- Resilient  Permutation 

The  Permute  procedure  receives  as  input  a  key  and  a  4-tuple  of  ciphertexts.  It  outputs  a  “fresh” 
pair  of  4-tuples  of  keys  and  ciphertexts.  The  correctness  property  of  the  permute  procedure  is  that 
the  plaintexts  underlying  the  output  ciphertexts  (under  the  respective  output  keys)  are  a  (random) 
permutation  of  the  plaintexts  underlying  the  input  ciphertexts.  The  intuitive  security  guarantee 
is  that,  even  to  a  computationally  unbounded  leakage  adversary,  the  permutation  looks  uniformly 
random.  The  procedure  is  below  in  Figure  9.  Correctness  is  immediate.  Security  is  formalized  by 
the  existence  of  a  simulator  that  generates  a  complete  view  of  the  leakage  and  the  output  keys  and 
ciphertexts.  The  simulator  only  gets:  ( i )  descriptions  of  the  marginal  distribution  from  which  key 
and  the  input  ciphertext  are  drawn,  and  (ii)  a  random  permutation  of  the  plaintexts  underlying  the 
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input  ciphertexts.  We  show  that,  under  the  appropriate  conditions  on  the  distribution  from  which 
the  key  and  ciphertexts  are  drawn,  the  real  and  simulated  joint  distributions  of  leakage  and  output 
from  Permute  will  be  statistically  close.  In  particular,  on  an  intuitive  level,  the  joint  distribution 
of  the  leakage  and  the  outputs  is  independent  of  the  permutation  that  was  used.  This  security 
property  is  stated  in  Lemma  6.2  below.  We  note  that  the  simulator  is  not  efficient,  and  may  run 
in  exponential  time  (as  was  the  case  for  the  SimNAND  simulator,  it  is  only  used  in  the  security 
proof  of  our  main  construction). 


Permute(key,C):  leakage-resilient  permutation  for  key  and  a  4-tuple  C  of  ciphertexts 
Take  K$  £-  (key,  key,  key ,  key),  Co  <—  C,  and  £  =  polylog(ft) 

For  i  £  [t],  repeat: 

1.  for  j  £  [n],k  £  [4]:  <Tj[j][fc]  <—  KeyEntGen(  1K),  KeyRefresh(Ki[k\,  Ui[j][k])  leakage 

on  ( Ki,Oi ) 

2.  for  j  £  [n\,k  £  [4]:  ZA;[j][fc]  t—  CipherCorrelate(Ci[k],ai\j][k]) 
leakage  on  (Ci,c rf) 

3.  for  j  £  [n\,k  £  [4]:  r,[j][/c]  Cipher EntGen(\K),  -D'[j][/c]  £-  Cipher  Re fresh(Di\j][k\,Ti\j][k]) 

leakage  on  (Di,Tf) 

4.  for  j  £  [n],k£  [4]:  L\{j][k\  £-  KeyCorrelate(Li\j][k\,Ti\j][k}) 
leakage  on  (. Lj,Tj ) 

5.  pick  m  £R  S%,  for  j  £  [u]:  L'f\j]  £-  7 p[j](L'[j]),  D”\j\  £-  tt ,\j}(D(\g)) 
leakage  on  [(LI,  7r»),  (Dl,  7r»)] 

6.  pick  j*  £r  [k\.  Save  Ki+1  <-  L''\j*],  and  Ci+1  £-  D”\j*} 
leakage  on  [(L''\j*],  j*),  (K'/\j*},  j*)\ 

Output  (Ke,  C() 

Figure  9:  Leakage-Resilient  Ciphertext  Permutation  for 


Lemma  6.2.  There  exists  an  exponential-time  simulator  SimPermute,  a  leakage  bound  A (k)  = 
Q(k),  and  a  distance  bound  S(k)  =  negl(«),  s.t  for  any  n  £  N  and  leakage  adversary  A: 

Let  V  be  a  distribution  on  key  €  {0, 1}K  and  a  ciphertext  4-tuple  C  £  {0,  1}4xk.  Suppose  that 
V  is  IuO  with  orthogonality  b  £  {0,  l}4.  Let  K  and  C  be  T>’s  underlying  distributions  on  key  and 
on  C.  Suppose  further  that  Hoo(JC)  >  k  —  0(X(k ))  and  H^C)  >  3n  —  0(X(k)). 

Take  Real  and  Simulated  to  be  the  following  views: 


Real 

Simulated 


[k' ,C' ,Ax{k)[(K' ,C')  £-  Permute(key,C)\y  ^ 


<r-  nip) 


then  A  (Real,  Simulated )  <  5(k). 


Proof.  We  begin  by  describing  the  SimPermute  Simulator.  The  proof  that  Real  and  Simulated  are 
statistically  close  follows. 
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SimPermute.  The  simulator  samples  key  ~  /C  and  C  ~  C,  conditioned  on  the  inner  product  of 
key  with  C  being  0  (rather  than  b[i],  as  in  T>).  The  simulator  then  runs  Permute  on  (key,  C ),  under 
A's  leakage  attack,  to  compute  the  leakage  w.  To  compute  the  output  ( K',C '),  the  simulator  first 
samples  an  input  key  and  randomness  r  for  Permute,  from  the  conditional  underlying  distribution  of 
key  and  the  randomness  given  leakage  w.  Note  that,  as  in  Lemma  3.11,  this  conditional  distribution 
depends  only  on  K,  (and  not  on  C).  Using  key  and  f,  the  simulator  can  compute  the  K'  that  Permute 
would  output.  Similarly,  the  simulator  computes  the  conditional  distribution  of  C' ,  given  w  and  r. 
Again,  as  in  Lemma  3.11,  this  depends  only  on  C  (and  not  on  1C).  The  simulator  samples  C'  from 
this  conditional  distribution,  under  the  additional  condition  that  the  inner  products  of  C'  with  Kl 
equal  b' .  The  output  is  ( K',C’,w ). 

Statistical  Closeness  of  Real  and  Simulated.  We  first  observe  that  w  is  *4’s  output  in  a  leakage 
attack  that  operates  separately  on  key  and  on  C.  Moreover,  the  leakage  on  key  and  on  C  is  of 
bounded  total  length  0(£  ■  A(/c))  <<  k.  Since  the  “real”  distribution  V  of  (key,C)  is  IuO,  by 
Lemma  3.11  the  distributions  of  w  in  Real  and  in  Simulated  are  <5  ( /^-statistically  close. 

The  more  difficult  part  of  the  proof  is  arguing  that  (w.h.p.  over  w),  the  distributions  of  (K' ,  C), 
conditioned  on  w,  in  Real  and  in  Simulated  are  statistically  close.  For  this,  we  consider  a  hybrid 
distribution  Real' .  To  generate  Real' ,  we  compute  w  as  in  Simulated ,  by  running  *4’s  leakage 
attack  on  Permute,  activated  on  key  and  C  chosen  s.t.  their  inner  products  equal  0.  Let  it  be 
the  composition  of  the  permutations  chosen  in  the  £  iterations  of  Permute.  In  Real'  we  generate 
(K' ,  C)  as  in  Simulated,  but  conditioning  the  underlying  output  distributions  on  the  inner  products 
of  K'  and  C  equalling  b'  =  ir(b),  rather  than  b'  which  is  a  uniformly  random  permutation  of  b  in 
Simulated.  We  show  that  Real'  is  statistically  close  to  both  Real  and  Simulated. 

Proposition  6.3.  A  (Real,  Real')  =  0(6  (k)) 

Proof.  We  re-cast  Real  by  considering  the  following  procedure  for  generating  it.  This  alternate 
generation  operates  as  Real,  except  that  when  drawing  the  input  (key,C)  from  the  underlying 
distributions,  we  condition  on  the  inner  products  equalling  b  (rather  than  0).  These  (key,C)  are 
used  to  compute  w,  and  then  ( K',C ')  are  drawn  (as  in  Real')  from  their  conditional  distributions, 
conditioned  on  inner  products  n(b)  (where  n  is  the  composition  of  the  permutations  used  in  all  £ 
iterations  of  Permute).  Since  the  input  distribution  V  used  in  Real  is  IuO,  this  procedure  generates 
exactly  the  view  Real. 

We  now  show  that  Real  and  Real'  are  statistically  close.  These  two  distributions  differ  only  in 
the  joint  distribution  of  (w,n)",  given  w  and  7 r,  the  distributions  of  (. K',C' )  derived  in  Real  and 
Real'  are  identical,  (w,  7 r)  are  generated  via  a  multi-source  leakage  attack,  operating  separately  on 
key  and  on  C,  with  a  total  of  0(1  ■  X(k))  «  n  bits  of  leakage.  Moreover,  the  distributions  of  key 
and  C  in  Real  and  Real'  are  both  IuO  (by  construction),  and  differ  only  in  their  orthogonalities  (b 
or  0  respectively).  By  Lemma  3.11,  we  get  that  the  distributions  of  (w,n)  in  Real  and  Real'  are 
(^(/^-statistically  close,  and  thus  so  are  Real  and  Real'  themselves.  | 

Proposition  6.4.  A  (Real' ,  Simulated)  =  negl(ft) 

Proof.  Recall  that  the  distributions  of  w  in  Real'  and  Simulated  are  identical.  The  underlying 
distributions  on  K'  and  on  C  (given  w)  are  also  identical.  The  difference  is  in  the  distribution 
(given  w)  of  the  permutation  used  to  compute  b'  from  the  given  vector  b  (b'  is  then  used  to  jointly 
sample  (K',C')).  In  Real'  we  have  b'  =  n(b),  where  7r  is  the  composition  of  permutations  chosen 
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by  Permute  in  its  £  iterations.  In  Simulated  we  have  b'  =  n(b),  where  //  is  a  uniformly  random 
permutation  in  S4,  independent  of  w.  We  will  show  that,  for  any  input  ( key,C ),  the  distribution 
of  7 r  in  Real'  (conditioned  on  w ),  is  negl(ft)-close  to  uniformly  random  (w.h.p  over  the  leakage  w). 
It  follows  that  Real'  and  Simulated  are  negl(/c)-statistically  close. 

The  intuition,  loosely  speaking,  is  that  for  each  i  €  [£\,  the  permutation  tt*  =  ir j\j*]  chosen 
in  Permute’ s  i-th  iteration,  looks  “fairly  random”  even  given  w.  Moreover,  these  i  permutations 
are  drawn  independently  from  their  “fairly  random”  distributions.  The  composition,  over  all  £ 
iterations  of  Permute ,  of  the  permutations  chosen  in  each  iteration,  is  thus  statistically  close  to 
uniformly  random.  We  formalize  this  intuition  below,  starting  with  the  notion  of  “well-mixing” 
distributions  over  in  S4. 

Definition  6.5  (Well-Mixing  Distribution  on  Permutations).  A  distribution  P  over  S4  is  said  to 
be  well-mixing  if: 

Hoo{P)  >  0.99  log  | S4 1 

Next,  we  observe  that  the  composition  of  a  sequence  of  permutations  drawn  from  well-mixing 
distributions  is  itself  very  close  to  uniform. 

Claim  6.6.  For  any  sequence  Pq, . . . ,  P(-i  of  well-mixing  distributions,  let  P  be: 

P  =  (ir0  o  ...  o  TTg-i )no~plt...tne_1~pl_l 

then  P  is  exp {—£!{£)) -close  to  uniform  over  S4. 

For  Permute’ s  i-th  iteration,  let  Wi  be  the  leakage  in  that  iteration.  We  define  Pj  to  be  the 
distribution  of  the  permutation  tt*  =  TTj  [j* ]  chosen  in  the  i-th  iteration,  conditioned  on  (wq,  . . . ,  wf) 
and  also  on  the  keys  and  ciphertexts  {Kj,  Cj,  TQ+i ,  Cj+i).  We  show  that  in  Real' ,  with  overwhelming 
probability  over  the  random  coins  up  to  (but  not  including)  the  choice  of  j* ,  with  probability  at 
least  1/2  over  Permute’ s  choice  of  j* ,  the  distribution  Pj  is  well-mixing. 

Claim  6.7.  For  the  view  Real' ,  for  any  i  €  [£],  and  for  any  {Kj,  Cj,  {wq,  . . . ,  Wj-i)),  with  all  but 
0(5(k))  probability  over  Permute ’s  random  choices  in  iteration  i  up  to  Step  6,  with  probability  at 
least  1/2  over  Permute ’s  choice  of  j*  in  Step  6,  the  distribution  Pj  is  well-mixing. 

Proof.  Examine  the  distribution  of  the  vector  7T;  of  permutations  used  in  iteration  i,  conditioned  on 
(Kj,  Cj ,  ( wo , . . . ,  Wj-i)),  and  conditioned  also  on  (L'f,  D'[)  (but  without  conditioning  on  the  leakage 
Wj  in  the  i-th  iteration  or  on  j*).  Here  the  randomness  is  over  (cq, Tj,  TTj).  We  observe  that  in 
this  conditional  distribution, the  marginal  distribution  on  ( 7T,;  [0] , . . .  ,tt,  [k  —  1] )  is  uniformly  random 
over  S4.  This  is  because  for  each  j  €  [k],  the  pair  (cr,[j],  P:[j])  are  uniformly  random  (under  the 
condition  that  they  maintain  the  underlying  0  plaintext  bits  in  bf).  Thus,  Tj[j]  completely 
“mask”  the  permutation  7r,;[j]  that  was  used:  all  permutations  are  equally  likely.  Note  that  here  we 
use  the  fact  that  the  plaintext  bits  bj  underlying  (Kj,Ci)  in  Real'  are  all  identical  (they  all  equal 
0).  Otherwise,  since  Permute  preserves  the  set  of  underlying  plaintexts  (if  not  their  order),  there 
would  be  information  about  each  7r,;[j]  in  the  plaintexts  underlying  (L”[j],  D”[j]). 

By  Lemma  3.8,  since  the  leakage  Wj  on  (cj,;,  Tj,  TTj)  is  of  length  at  most  0(X(k))  bits,  with  all 
but  5(k)  probability,  the  min-entropy  of  the  vector  7 Tj  given  (Kj,  Cj,  L",  D’f ,  (wq,  ■  ■  ■ ,  wt-i,  wf)) 
is  at  least  0.995  •  k  ■  log  | S*4 1 .  By  an  averaging  argument,  with  probability  at  least  1/2  over 
Permute’ s  (uniformly  random)  choice  of  j* ,  we  get  that  the  min  entropy  of  tt*  =  tt%  [j* ] ,  given 
(Kj,  Cj,  L'l,  D'f,  (wq,  . . . ,  Wj-i,  Wj)),  is  at  least  0.99  log  |  ^4 1 .  The  claim  about  Pj  follows  (in  Pj  we 

53 


Approved  for  Public  Release;  Distribution  Unlimited. 

627 


condition  n*  on  the  same  information  as  above,  except  we  replace  (L",  D”)  with  just  (Kl+i,  Ct+f)  = 

To  complete  the  proof  of  Proposition  6.4,  we  examine  the  composed  distribution  (7 r  =  (7TqO,  . .  .0 
'Kl_\)\w)-  Each  7T*  is  drawn  from  Pi,  and  these  draws  are  all  independent  of  each  other.  By  Claim 
6.7,  we  get  that  with  all  but  exp(— D(£))  probability  over  the  random  coins,  fixing  the  sequence 
((JC0,  Co), . . . ,  (Kg- 1,  CV_i))  and  the  leakage  w ,  at  least  1/3  of  the  distributions  Pi  are  well-mixing. 
When  this  happens,  by  Claim  6.6,  the  distribution  of  (7r|rt;)  is  exp(— D(f!))-close  to  uniform,  where 
t  =  polylog(ft).  ■ 


6.3  Proof  of  SimNAND  Security  (Lemma  6.1) 

Remark  6.8.  We  will  assume  throughout  this  section  that  the  leakage  w  from  SafeNAND  includes 
Permute ’s  output  in  its  entirety.  This  is  a  strengthening  of  the  leakage  adversary  (it  gets  more 
leakage  “for  free”),  and  so  it  strengthens  our  security  claim  for  SafeNAND . 

Proof  of  Lemma  6.1.  We  begin  by  describing  the  SimNAND  simulator,  and  then  proceed  with  a 
proof  of  statistical  closeness  of  Real  and  Simulated. 

SimNAND.  Let  Dx  be  the  independently  drawn  variant  of  V  (as  in  Definition  3.10,  i.e.  with  inde¬ 
pendent  draws  from  K,  and  from  C).  SimNAND  samples  (( keyt ,  keyj,  keyk ),  ( Ci,Cj,ck ))  ~  Dx ,  and 
key  KeyGen(lK).  It  runs  Steps  1  and  2  of  the  SafeNAND  procedure,  on  the  keys  and  ciphertexts 
it  drew,  under  „4’s  leakage  attack.  Let  w\p  be  the  leakage  generated  in  this  partial  execution,  and 
let  <7  =  (ai,Oj,ak)  be  the  correlation  values  computed  by  SafeNAND  in  this  simulated  execution. 

Next,  SimNAND  computes  K.  simPermute  and  CsimPermute-,  the  conditional  distributions  of  key  and 
of  C  in  Step  3,  given  2  and  a.  SimNAND  proceeds  to  simulate  Step  3  by  calling  the  Permute 
simulator,  SimPermute  (see  Lemma  6.2),  on  input  (bSimPermute,fc  SimPermute,  CsimPermute),  where 
b  simPermute  is  a  uniformly  random  permutation  of  the  vector  (ak,  ak®l,  afc©l,  dfc©l).  SimPermute' s 
output  includes  the  leakage  w%  from  Step  3  and  an  output  ( K',C' )  from  Permute.  SimNAND 
completes  the  simulation  by  running  Step  4  on  ( K C)  under  *4’s  leakage  attack,  producing  leakage 
W4.  The  leakage  that  SimNAND  outputs  is  the  accumulated  leakage  w  =  (w\t2  ow^o  (K' ,  C)  o  W4) 
from  all  the  simulated  steps  of  SafeNAND  (recall  from  Remark  6.8  that  we  include  ( K' ,  C')  in  the 
leakage) . 

Statistical  closeness  of  Real  and  Simulated.  We  examine  the  distributions  of  the  leakage 
in  Steps  1  and  2  in  both  views.  In  both  Real  and  Simulated  we  have  (key key j,  key k)  ~  K,  and 
key  4—  KeyGen(lK).  These  determine  the  correlation  values  o  =  (ai,crj,ak)  computed  in  Step 
1  of  SafeNAND .  Note  that  the  correlation  values  are  a  function  of  the  keys  only  (and  not  the 
ciphertexts),  and  thus  they  are  identically  distributed  in  both  Real  and  Simulated.  The  difference 
is  in  the  conditional  distribution  of  (c),  Cj,  ck)  given  (key,o). 

We  focus  on  the  joint  conditional  distribution  of  ( key,(ci,Cj,ck )),  conditioned  on  o.  We  will 
show  that  this  joint  distribution,  conditioned  on  0,  is:  (i)  IuO  in  Real,  and  (ii)  its  independently 
drawn  variant  in  Simulated.  Given  a,  the  leakage  is  a  multi-source  function  of  key  and  of  the 
ciphertexts.  We  will  conclude,  using  Lemma  3.11,  that:  (i)  the  leakage  in  Real  and  in  Simulated 
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is  statistically  close,  and  ( ii )  for  a  fixed  leakage  value  w\‘2  that  can  occur  in  Real ,  the  condi¬ 
tional  distribution  of  (key,  (c),  Cj,  c*,))  in  Real ,  given  (<7, wi^),  will  remain  IuO.  The  distribution  of 
(key,  (ci,  Cj,  c*,))  in  Simulated,  given  (a,  w  1,2),  will  be  the  independently  drawn  variant  of  the  same 
distribution  in  Real.  Note  that  C  is  a  (linear)  function  of  (ci,Cj,Ck)  (and  ai,aj),  and  so  we  get  the 
same  guarantees  for  the  distributions  of  (key,C)  in  Real  and  Simulated. 

It  remains  to  show  that  the  requirements  of  Lemma  3.11  hold.  Namely,  that  (key,  ( Ci,Cj,Ck )) 
in  Real,  conditioned  on  a,  is  IuO,  and  that  the  same  distribution  in  Simulated  is  its  independently 
drawn  variant.  For  this,  observe  first  that  in  Simulated,  the  distribution  of  (key,  (c),  Cj,Ck ))  given  if 
is  the  product  distribution  of  key  given  <7,  and  of  C  (without  any  conditioning) .  The  fixed  values  of 
if  do  not  effect  the  marginal  distribution  on  ciphertexts,  because  (in  Simulated )  the  ciphertexts  are 
drawn  independently  of  the  keys.  In  Real,  on  the  other  hand,  the  keys  and  ciphertexts  are  no  longer 
drawn  independently.  However,  even  in  Real,  V  is  IuO.  In  particular,  P’s  marginal  conditional 
distribution  on  (ct,  cj,  c),),  given  key  and  if,  is  equal  to  C,  conditioned  on  (key  ©  ©:,c))  =  fej,  on 
(key  ©  ( Tj,Cj )  =  bj,  and  on  (key  ©  a k,Ck)  =  We  conclude  that  in  Real,  the  distribution  of 
( key,(ci,Cj,Ck )),  conditioned  on  <7,  is  also  IuO.  Moreover,  by  Lemma  3.8,  with  all  but  0(5(t c)) 
probability  over  if,  the  min-entropy  of  (key,  (c%,  Cj,  c^))  given  if  is  at  least  An  —  0(X(k)). 

By  Lemma  3.11,  we  conclude  that  the  distributions  ((key,  C)\ (if,  2))  in  Real  and  in  Simulated 
satisfy  all  the  conditions  of  Lemma  6.2  (security  of  Permute).  By  construction,  the  vector  bgimpermute 
of  plaintext  values  given  as  input  to  the  SimPermute  simulator  in  Simidated,  is  a  uniformly  random 
permutation  of  the  plaintexts  underlying  ( key,C ),  the  input  to  Permute  in  Real.  By  Lemma  6.2, 
we  conclude  that  the  distributions  of  (u©2  0W30  (K' ,  C ')),  in  conjunction  with  if,  are  statistically 
close  in  Real  and  Simulated.  Statistical  closeness  of  Real  and  Simulated  follows,  because  the  leakage 
W4  from  Step  4  is  a  function  of  (K' ,  C).  9 


7  Putting  it  Together:  The  Full  Construction 

In  this  section  we  show  how  to  compile  any  circuit  into  a  secure  transformed  one  that  resists  OC 
side-channel  attacks,  as  per  Definition  3.14  in  Section  3.4.  See  Section  2  for  an  overview  of  the 
construction. 

The  full  initialization  and  evaluation  procedures  are  presented  below  in  Figures  10  and  11.  The 
evaluation  procedure  is  separated  into  sub-computations  (which  may  themselves  be  separated  into 
sub-computations  of  the  cryptographic  algorithms).  Ciphertext  bank  procedures  are  in  Section  5. 
The  procedures  for  safely  computing  NAND  and  duplication  are  in  Section  6.  Theorem  7.1  states 
the  security  of  the  compiler. 

Theorem  7.1.  There  exist  a  leakage  bound  X(n)  =  Q(n)  and  a  distance  bound  5(k )  =  negl(«), 
s.t.  for  every  k  €  N,  the  (Init,  Eval)  compiler  specified  in  Figures  10  and  11  is  a  (X,  5) -continuous 
leakage  secure  compiler,  as  per  Definition  3. 14- 

Proof  Sketch.  We  first  specify  the  simulator  and  then  provide  a  sketch  of  statistical  security. 

Simulator.  Let  A  be  a  (continuous)  leakage  adversary.  The  simulator,  using  Simlnit  and 
SimEval,  creates  a  view  of  repeated  executions  of  Eval ,  on  different  inputs,  under  a  (continu¬ 
ous)  leakage  attack  by  A.  It  mimics  the  operation  of  the  “real”  Eval  procedure.  The  Simlnit 
procedure  starts  by  initializing  all  ciphertext  banks  using  SimBanklnit.  Within  the  f-th  execution, 
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Initialization  Init(lK ,C,y) 

1.  for  every  y-input  wire  i,  corresponding  to  y[j] : 

Banki  t—  BankInit(lK ,  y[j}) 


2.  for  the  output  wire  output : 

Bank outvut  t—  Banklnit(  1K,0) 


3.  for  the  internal  wires: 

Bank  internal  <—  BankInit(lK ,  b),  where  b  Gr  {0, 1} 

4.  output,  stateo  t  (Bank internal i  Bank output >  { Batiki ) ^  jg  ^  y-input  wire) 


Figure  10:  Init  procedure,  to  be  run  in  an  offline  stage  on  circuit  C  and  secret  y. 


with  input  xt  and  output  C(y,xt),  the  simulator  picks  all  of  the  (di,bi)  shares  for  each  wire  i  in 
advance.  To  do  so,  the  simulator  first  evaluates  (7(0,  xt)  and  takes  v[  to  be  the  bit  value  on  wire 
i  in  this  evaluation.  For  y-input  wires,  the  simulator  sets  a*  =  bi  =  0.  For  internal  wires,  the  at 
shares  are  uniformly  random,  and  each  bi  is  set  so  that  a.;  0  bi  =  v[.  For  the  output  wire  out,  the 
simulator  sets  aout  =  C(y,xt),  and  bout  =  v’out  ©  aout. 

Once  the  (at,  bi)  values  are  picked,  the  simulator  generates  the  ciphertexts  c*  so  that  the  plaintext 
underlying  <3,;  is  indeed  bi.  This  is  done  using  the  SimBanhGen  simulation  procedures,  which  gives 
the  simulator  control  over  the  plaintext  underlying  the  ciphertext  that  it  generates.  The  rest  of 
the  simulator’s  operation  follows  the  Eval  procedure  on  the  generated  ciphertexts,  and  the  leakage 
is  generated  as  it  would  be  from  an  execution  of  Eval.  The  Simlnit  and  SimEval  procedures  are 
specified  below  in  Figures  12  and  13. 

Statistical  Security  (Sketch).  The  intuition  for  security  is  that  the  “public”  a*  shares  in  the 
simulated  execution  are  distributed  exactly  as  they  are  in  the  real  execution.  The  “private”  6* 
shares  differ  between  the  real  and  simulated  execution,  but  these  shares  are  in  protected  LROTP 
encrypted  form  ( key^Ci ),  where  the  key  and  ciphertext  are  never  loaded  into  memory  together. 

The  full  proof  that  Real  and  Simulated  are  statistically  close  uses  several  hybrids: 

Real  to  HybridReal:  replacing  real  generations  with  simulated  ones.  The  first  hybrid 
is  HybridReal.  It  is  obtained  from  Real  by  replacing  each  “real”  generation  with  a  “simulated” 
generation  that  produces  a  key-ciphertext  pair  with  the  same  underlying  plaintext.  In  particular, 
we  replace  each  Banklnit(bi )  call  for  an  output  or  y-input  wire  i,  with  a  SimBanklnit  call,  and  we 
replace  the  Banklnit  call  for  Bankinternai  with  a  SimBanklnit  call.  We  then  replace  each  BankGen 
call  for  an  output  or  y-input  wire  i  with  a  call  to  SimBankGen(bi) ,  where  bi  is  the  appropriate 
private  share  for  wire  i.  We  replace  each  pair  of  BankGen  calls  to  Bankintemai  with  a  pair  of  calls 
to  SimBankGen(b) ,  where  b  is  independent  and  uniformly  random  in  {0, 1}.  Finally,  we  replace 
each  call  to  BankUpdate  and  BankRedraw  with  a  call  to  SimBankUpdate  and  SimBankRedraw 
(respectively).  Other  than  these  changes  to  the  ciphertext  bank  calls,  we  run  exactly  as  in  Real. 
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Evaluation  Eval{statet- i,xt) 

stcitct—x  (Bank internal,  BankoutpUt,  {Banki}^  is  a  y-input  wire) 

1.  Generate  keys  and  ciphertexts  for  all  circuit  wires: 

(a)  y  input  wire  i: 

(kepi,c)n)  t—  BankGen(Banki) 

Banki  t—  BankUpdate(Banki) 

(b)  output  wire  output: 

(key output,  cZtput)  BankGen(Bank outpUt) 

Bankoutput  t-  BankUpdate(Bank output) 

(c)  each  internal  wire  i  (in  sequence): 

(kept,  cj")  -e-  BankGen(Bank internai) 

(keyi:  CiUi)  <-  BankGen(Bank intemai) 

Bank  internal  B  ankRedraW  (B  ank  internal) 

Bank  internal  BankUpdate(B  ank  internal) 

(d)  ajfinput  wire  i:  kept  t—  KeyGen(lK),  cj™  •<—  Encrypt  (key  i,0) 

2.  Compute  the  public  shares  on  all  wires. 

For  the  input  wires:  for  each  y-input  wire  i,  at  <—  0.  For  each  x-input  wire  i  corresponding 

tO  Xt[j],  Qi  Xt\j\. 

Proceed  layer  by  layer  (from  input  to  output)  to  compute  the  remaining  public  shares: 

(a)  for  each  NAND  gate  with  input  wires  i,j  and  output  wire  k,  compute: 

ak  SafeNAND(ai,  keyi ,  cj",  aj,  keyp  c™,  keyk,  c°kut) 

(b)  for  each  duplication  gate  with  input  wire  i  and  output  wires  j,  k,  compute: 

aj  SafeDup(ai,  key it  ,  key^c™1) 
ak  <-  SafeDup(ai,  keyi7  c keyk,  c°kut) 

(c)  output  a outpUt 

3.  the  new  state  is.  statet  ^  (Bank internal,  Bankoutput ,  { Banki jg  ^  y-input  wire i 

Figure  11:  Eval  procedure  performed  on  input  xt,  under  OC  leakage.  See  Section  5.1  for  ciphertext 
bank  procedures,  Section  6.1  for  SafeNAND,  SafeDup. 

The  two  views  Real  and  HybridReal  differ  only  in  that  in  Real  we  have  calls  to  Banklnit, 
BankGen,  BankUpdate,  BankRedraw,  whereas  in  HybridReal  we  have  calls  to  the  corresponding 
simulated  procedures.  Note  that  the  bi  values  given  as  input  to  SimBankGen  in  HybridReal  are 
distributed  identically  to  the  plaintexts  underlying  the  ciphertexts  generated  in  the  corresponding 
calls  to  BankGen  in  Real:  for  y-input  wire  i,  corresponding  to  the  j-th  bit  of  y,  bi  is  equal  to  y[j] 
in  both  views.  For  each  internal  wire  i,  bj  is  an  independently  uniformly  random  bit  in  both  views. 
For  the  output  wire  output,  boutput  equals  0  in  both  views.  By  Lemmas  5.1  and  5.4,  we  get  that  the 
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Simulator  Initialization  SimInit(lK ,  C) 

1.  for  every  y-input  wire  i,  corresponding  to  y\j]: 

Banki  4—  SimBankInit(\K ) 

2.  for  the  output  wire  output : 

BankoutpUt  4—  SimBankInit(\K ) 

3.  for  the  internal  wires: 

Bank  internal  SimBankInit(  1K) 

4.  output,  state q  4  (Bank internai,  Bankoutput,  {Banki}^  jg  ^  y-input  wire) 

Figure  12:  Simulator  Initialization  Simlnit 
Simulator  SimEval(statet~i,  Xt,C(y,  xt)) 

The  simulator  first  computes  v\  values  for  each  wire  i  in  the  circuit  by  evaluating  C(0,  Xt). 

For  each  circuit  wire  i,  choose  shares  (a*,  &,;)  for  each  wire: 

Xt  input  wire  corresponding  to  Xt  [j] :  a*  4—  Xt  \j\  ,bi  4—  0 

y- input  wire:  a*,  6,  4—  0 

internal  wire:  a*  4—r  {0, 1},  bi  4—  v(  ®  at 

output  wire:  aoutput  «-  C(y,xt),  boutput  t  V output  ®  a output 

After  the  a*,  6*  shares  have  been  computed  for  each  wire,  simulate  Eval  as  follows: 

•  in  Step  1,  for  each  wire  i,  replace  each  call  to  BankGen  for  wire  i  with  a  call  to  SimBankGen 
with  bi .  Replace  each  call  to  BankUpdate  and  BankRedraw  with  a  call  to  SimBankUpdate 
or  SimBankRedraw  (respectively). 

•  in  Step  2,  for  each  NAND  gate  with  input  wires  i,j  and  output  wire  k,  compute: 

ak  <r-  SafeNAND(ai,  kepi,  c a^key^c1™,  keyk,  c%ut) 
for  each  duplication  gate  with  input  wire  i  and  output  wires  j,  k,  compute: 

aj  4—  SafeDup(ai,  kept,  c™ ,  keyj,c°ut) 
ak  4-  SafeDup(ai,  key c*n,  keyk,  c°kut) 

•  as  in  Eval ,  the  new  state  is  statet  4-  (. Bankintemal ,  BankoutPut ,  { Banki }j  is  a  y-input  wire) 
Figure  13:  Sim  procedure  performed  on  input  xt  and  circuit  output  C(y,xt) 

joint  distributions  of  the  leakage  in  all  of  these  calls,  together  with  all  keys  and  ciphertexts  produced , 
are  statistically  close  in  Real  and  in  HybridReal.  We  can  complete  the  generation  of  the  view  in 
both  cases  (the  leakage  from  SafeNAND  and  SafeDup )  as  a  function  of  the  keys  and  ciphertexts 
produced,  and  we  conclude  that  the  two  views  are  statistically  close. 
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HybridReal  to  HybridReal'  and  Simulated  to  Simulated' :  replacing  safe  computations  with 
simulated  leakage.  Next,  we  obtain  HybridReal1  from  HybridReal  by  replacing  the  SafeNAND 
calls,  in  each  execution  and  for  each  internal  and  output  wire  i,  with  calls  to  the  SimNAND 
simulator  from  Lemma  6.1,  using  HybridReal1  s  ak  public  shares  and  the  underlying  distributions 
on  keys  and  ciphertexts  (the  underlying  distributions  are  a  function  of  the  leakage  values  in  prior 
computations). 

Similarly,  we  obtain  a  hybrid  Simulated1  from  Simulated  by  replacing  the  SafeNAND  calls  with 
calls  to  the  SimNAND  simulator,  using  SimEvaV s  a*  public  shares  and  its  underlying  distributions 
on  keys  and  ciphertexts. 

Note  that,  in  particular,  HybridReal'  and  Simulated'  can  no  longer  be  generated  efficiently 
(because  the  SafeNAND  simulator  is  not  efficient).  By  Lemmas  5.3  and  5.5,  the  conditions  of 
Lemma  6.1  all  hold  for  each  replacement  of  SafeNAND  by  SimNAND  in  both  views  (given  the 
leakage  in  prior  computations).  In  particular,  the  keys  and  ciphertexts  involved  in  each  SafeNAND 
come  from  IuO  distributions  whose  underlying  distributions  have  high  entropy  (w.h.p.).  This  is 
where  we  use  the  fact  that,  for  each  internal  wire  i,  even  given  the  leakage,  the  z-th  wire’s  ciphertexts 
c°ut  and  cf  are  independent  up  to  having  the  same  orthogonality  w.r.t.  key.  We  conclude  that 
HybridReal  and  HybridReal1  are  statistically  close,  as  are  Simulated  and  Simulated1 . 

Closeness  of  HybridReal1  and  Simulated1 .  HybridReal1  and  Simulated'  are  both  obtained  as  a 
function  of  leakage  from  a  sequence  of  SimBankGen  calls:  the  leakage  from  these  generations  is 
then  used  to  compute  the  leakage  for  SimNAND  calls  (the  leakage  from  the  generations  specifies 
the  underlying  distributions  used  by  SimNAND).  In  particular,  the  actual  keys  and  ciphertexts 
generated  are  never  again  accessed  after  their  generation.  The  same  post-processing  is  performed  on 
the  leakage  from  the  generations  in  both  cases:  namely,  calls  to  SimNAND  on  the  same  underlying 
distributions,  and  with  identically  distributed  a%  values.  The  two  sequences  of  generations  differ 
only  in  the  orthogonalities  of  the  underlying  plaintexts  that  are  generated  in  the  SimBankGen  calls 
for  the  output  and  the  y-input  wires  (the  plaintexts  for  internal  wires  are  identically  distributed). 
By  Lemma  5.2,  we  conclude  that  the  leakage  from  the  generations  is  statistically  close  in  both 
cases,  and  so  HybridReal'  and  Simulated'  are  also  statistically  close.  B 
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ABSTRACT 

We  construct  a  multiparty  computation  (MPC)  protocol 
that  is  secure  even  if  a  malicious  adversary,  in  addition  to 
corrupting  1-e  fraction  of  all  parties  for  an  arbitrarily  small 
constant  e  >  0,  can  leak  information  about  the  secret  state 
of  each  honest  party.  This  leakage  can  be  continuous  for 
an  unbounded  number  of  executions  of  the  MPC  protocol, 
computing  different  functions  on  the  same  or  different  set  of 
inputs.  We  assume  a  (necessary)  “leak-free”  preprocessing 
stage. 

We  emphasize  that  we  achieve  leakage  resilience  without 
weakening  the  security  guarantee  of  classical  MPC.  Namely, 
an  adversary  who  is  given  leakage  on  honest  parties’  states, 
is  guaranteed  to  learn  nothing  beyond  the  input  and  output 
values  of  corrupted  parties.  This  is  in  contrast  with  pre¬ 
vious  works  on  leakage  in  the  multi-party  protocol  setting, 
which  weaken  the  security  notion,  and  only  guarantee  that  a 
protocol  which  leaks  i  bits  about  the  parties’  secret  states, 
yields  at  most  i  bits  of  leakage  on  the  parties’  private  in¬ 
puts.  For  some  functions,  such  as  voting,  such  leakage  can 
be  detrimental. 

Our  result  relies  on  standard  cryptographic  assumptions, 
and  our  security  parameter  is  polynomially  related  to  the 
number  of  parties. 
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1.  INTRODUCTION 

The  notion  of  secure  multiparty  computation  (MPC),  in¬ 
troduced  in  the  works  of  Yao  [Yao82]  and  Goldreich,  Mi- 
cali  and  Wigderson  [GMW87],  is  one  of  the  cornerstones  in 
cryptography.  Very  briefly,  an  MPC  protocol  for  computing 
a  function  /  allows  a  group  of  parties  to  jointly  evaluate  / 
over  their  private  inputs,  with  the  property  that  an  adver¬ 
sary  who  corrupts  a  subset  of  the  parties  does  not  learn 
anything  beyond  the  inputs  of  the  corrupted  parties  and 
the  output  of  the  function  /.  Over  the  years,  MPC  proto¬ 
cols  have  found  numerous  applications,  such  as  in  protocols 
for  auctions,  electronic  voting,  private  information  retrieval, 
and  threshold  and  proactive  cryptography. 

The  definition  of  security  for  MPC  assumes  that  an  adver¬ 
sary  sees  the  messages  sent  and  received  by  honest  parties, 
but  their  internal  state  is  perfectly  secret.  However,  over  the 
last  two  decades,  it  has  become  increasingly  evident  that  in 
the  real  world,  attackers  can  gain  various  additional  infor¬ 
mation  about  the  secret  states  of  the  honest  parties  via  vari¬ 
ous  side-channel  attacks  (see  [Koc96,  AK96,  QS01,  GMOOl, 
OST06,  HSH+08]  and  references  therein). 

In  this  work,  we  study  MPC  in  the  setting  where  an 
adversary,  who  corrupts  an  arbitrary  subset  of  parties  in 
the  protocol,  can  also  leak  information  about  the  entire  se¬ 
cret  state  of  each  honest  party  throughout  the  protocol  ex¬ 
ecution  (except  during  a  designated  leak-free  preprocessing 
stage).  Leakage  is  modeled  by  allowing  the  adversary  to 
query  leakage  functions,  as  follows.  Each  leakage  function  is 
computed  by  an  arbitrary  poly-size  circuit,  with  bounded 
output-length,  which  is  applied  to  the  secret  state  of  an 
honest  processor.  The  adversary  may  choose  the  leakage 
functions  adaptively,  based  on  the  entire  history  of  commu¬ 
nication,  previous  leakage,  and  internal  state  of  corrupted 
processors. 

The  security  guarantee  we  aim  for  and  will  achieve,  is 
that  any  adversary  in  the  above  leakage  model,  does  not 
learn  anything  beyond  the  inputs  of  the  corrupted  parties  and 
output  values  of  the  functions  computed  by  the  MPC  pro¬ 
tocol.  This  is  formalized  via  the  standard  real/ideal  world 
paradigm.  In  the  ideal  world,  parties  do  not  interact  directly, 
but  rather  send  their  inputs  to  an  “ideal  functionality”,  who 
computes  the  function  for  them,  and  sends  them  the  output. 
There  is  no  leakage  in  the  ideal  world.  An  MPC  protocol 
is  said  to  be  secure,  if  for  every  “real  world”  leakage  adver- 
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sary  A  (as  above)  there  exists  an  “ideal  world”  simulator  S, 
such  that  the  output  of  all  the  parties  (including  the  adver¬ 
sary)  in  the  real  world,  is  computationally  indistinguishable 
from  the  output  of  all  the  parties  (including  the  simulator) 
in  the  ideal  world. 

Weakly  Leakage-Resilient  MPC. 

We  note  that  recently  there  have  been  several  results  that 
consider  the  problem  of  constructing  leakage-resilient  proto¬ 
cols  [GJS11,  BCH11,  DHP11,  BGG+11].  However,  in  con¬ 
trast  to  the  security  guarantee  we  consider  here,  all  these 
results  give  a  weak  security  guarantee  (though,  they  do  not 
rely  on  a  leak-free  preprocessing  stage).  They  guarantee  that 
an  adversary  that  runs  the  protocol  and  leaks  £  bits  about 
the  honest  parties’  secret  state,  does  not  learn  more  than  the 
output  of  the  function  being  computed,  and  an  additional  I 
bits  about  the  private  inputs  of  the  honest  parties.  We  note 
that  leakage  of  £  bits  on  the  private  inputs  of  the  honest  par¬ 
ties  could  be  detrimental  to  the  security  of  the  entire  MPC 
protocol.  For  example,  say  the  function  to  be  computed  by 
the  MPC  protocol  is  to  tally  up  the  binary  votes  of  the  par¬ 
ties.  Then,  the  £  bits  can  be  exactly  the  complete  £  votes  of 
any  £  honest  parties,  rendering  the  protocol  useless. 

Moreover,  this  weak  security  notion  allows  the  adversary 
to  learn  £  bits  about  the  joint  view  of  all  the  honest  parties. 
Thus,  another  instructive  example  is  to  think  of  the  function 
being  computed  as  a  threshold  decryption  function,  where 
each  party  has  a  secret-share  of  the  decryption  key.  In  this 
case,  the  weak  security  guarantee  allows  the  leakage  of  £ 
bits  from  the  decryption  key,  which  for  some  decryption  al¬ 
gorithms  could  entirely  compromise  security. 

Interestingly,  we  use  the  result  in  [BGG+11],  which  con¬ 
structs  an  MPC  protocol  with  the  weak  security  guarantee, 
as  a  building  block  to  construct  a  leakage-resilient  MPC  pro¬ 
tocol  with  the  classical  (strong)  security  guarantee. 

Security  Against  Continual  Leakage. 

We  further  remark  that  the  weaker  security  notion  previ¬ 
ously  achieved  cannot  be  extended  meaningfully  to  continual 
leakage  in  the  MPC  setting.  That  is,  it  cannot  address  the 
setting  where  the  n  users  do  not  just  perform  a  one-shot 
MPC  protocol,  but  rather  engage  in  an  unbounded  num¬ 
ber  of  MPC  protocols  for  many  functions,  and  during  each 
MPC  invocation  the  adversary  leaks  £  bits  from  each  of  the 
honest  party’s  internal  state.  This  is  obvious,  as  allowing 
the  repeated  leakage  of  new  £  bits  of  information  on  the 
honest  parties’  inputs  would  eventually  leak  the  honest  par¬ 
ties’  inputs  in  their  entirety.  For  example,  in  the  setting 
where  a  set  of  parties  jointly  compute  a  threshold  decryp¬ 
tion  function  (as  described  above),  they  may  want  to  carry 
out  many  decryption  computations,  where  leakage  happens 
repeatedly.  Since  each  £  bits  of  leakage  corresponds  to  £ 
bits  of  leakage  on  the  decryption  key,  the  decryption  key 
may  eventually  be  completely  leaked!  Nonetheless,  we  use 
the  result  of  [BGG+11]  as  a  building  block  to  achieve  our 
stronger  continual  leakage  security  guarantee. 

1.1  Our  Result:  Continual  Leakage-Resilient 
MPC 

In  this  work,  we  construct  a  leakage-resilient  MPC  proto¬ 
col  for  any  function  /,  without  weakening  the  security  guar¬ 
antee.  We  consider  a  continual  setting,  where  parties  over 
time  compute  many  functions  on  their  inputs.  Our  security 


guarantee  is  that  an  adversary  does  not  learn  anything  be¬ 
yond  the  inputs  of  the  corrupted  parties  and  the  output  of 
the  functions  computed,  even  if  he  continually  leaks  informa¬ 
tion  about  the  honest  parties’  secret  states  throughout  the 
protocol  executions.  Parties’  secret  states  are  periodically 
updated  via  an  update  procedure,  during  which  the  adver¬ 
sary  can  continue  to  leak  information.  We  allow  each  of  the 
adversary’s  leakage  functions  to  be  an  arbitrary  (shrinking) 
polynomial  time  computable  function  of  the  entire  secret 
state  of  each  honest  party  (separately),  and  these  leakage 
functions  can  be  chosen  adaptively  on  all  information  the 
adversary  has  seen  thus  far. 

Theorem  (Informal). 

Under  (standard)  intractability  assumptions,  for  every  con¬ 
stant  e  >  0  there  exists  an  MPC  protocol  for  computing  an 
unbounded  number  of  functions  among  n  parties  of  which 
at  least  e  fraction  are  honest.  The  protocol  is  secure  against 
continual  leakage,  assuming  a  one-time  leak-free  preprocess¬ 
ing  stage  in  which  the  inputs  are  shared,  and  where  the  se¬ 
curity  parameter  is  polynomially  related  to  the  number  of 
parties  n. 

A  few  remarks  about  our  result  statement  are  in  order. 

“Leak-free  ”  Preprocessing. 

We  assume  the  existence  of  a  leak-free  preprocessing  stage. 
We  stress  that  this  is  a  necessary  assumption  to  obtain  our 
strong  security  guarantee,  since  otherwise  an  adversary  can 
simply  leak  £  bits  about  an  honest  party’s  secret  input,  be¬ 
fore  the  MPC  even  commences.  More  generally,  we  note  that 
such  a  leak-free  preprocessing  stage  is  a  necessary  step  in  the 
construction  of  any  leakage  resilient  cryptographic  primitive 
which  receives  a  secret  input,  and  where  the  security  guaran¬ 
tee  is  that  the  secret  input  does  not  leak.  This  is  the  case,  for 
example,  in  the  compilers  of  [ISW03,  FRR+10,  JV10,  GR10, 
GR12],  which  transform  algorithms  with  a  secret  state  into  a 
functionally  equivalent  leakage-resilient  variant  of  the  same 
algorithm. 

We  remark  that  our  preprocessing  stage  in  fact  has  the 
nice  property  that  it  can  be  decomposed  into  two  parts, 
namely,  (a)  an  interactive  preprocessing  phase  that  is  inde¬ 
pendent  of  the  parties’  inputs  and  the  functions  to  be  com¬ 
puted,  and  (b)  a  non-interactive  input  dispersal  phase.  We 
stress  that  the  first  phase  is  run  only  once  in  the  beginning 
of  time,  before  the  parties  know  what  their  inputs  are  or 
what  functions  they  wish  to  compute.  The  second  (non¬ 
interactive)  phase  is  run  whenever  the  parties  choose  a  set 
of  inputs. 

While  both  of  these  parts  are  assumed  to  be  “leak-free”, 
we  do  allow  leakage  between  them.  We  refer  the  reader  to 
Section  3  for  a  formal  description  of  our  model. 

Multi-junction  MPC  and  Continual  Leakage. 

We  note  that  in  the  standard  (leak-free)  MPC  literature, 
one  typically  considers  a  one-shot  MPC  protocol,  as  opposed 
to  considering  the  setting  where  the  parties  compute  an  un¬ 
bounded  (polynomial)  number  of  functions.  The  reason  we 
focus  on  the  latter  setting,  is  to  emphasize  that  we  need 
to  run  the  leak-free  preprocessing  stage  only  once ,  and  then 
the  parties  can  compute  any  unbounded  number  of  functions 
/i ft  in  a  leaky  environment. 

We  further  emphasize  that  we  allow  the  adversary  to  leak 
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continuously  on  the  secret  states  of  the  parties  during  the 
unbounded  computations;  the  only  (necessary)  requirement 
is  that  the  secret  states  of  the  parties  are  periodically  up¬ 
dated  (since  otherwise  they  will  eventually  be  completely 
leaked).  However,  the  adversary  is  allowed  to  leak  even  dur¬ 
ing  each  update  procedure.  We  do  not  bound  the  total  num¬ 
ber  of  bits  that  the  adversary  leaks,  but  rather  only  bound 
the  leakage  rate:  i.e. ,  the  number  of  bits  leaked  between  up¬ 
dates. 

Extending  to  Multi-Input  MPC. 

We  stated  our  theorem  for  the  case  of  computing  many 
functions  on  a  single  set  of  inputs.  However,  our  construc¬ 
tion  is  easily  extended  to  the  many-input  case.  Whenever  a 
party  chooses  a  new  input,  the  (leak-free)  non-interactive  in¬ 
put  phase  described  above  can  be  repeated.  Namely,  party 
Pi  on  new  input  Xi  performs  a  local  computation  on  Xi , 
sends  a  message  to  the  other  parties,  and  erases  Xi.  One 
may  think  of  this  model  as  a  “hot  potato”  model,  where  the 
parties  never  store  their  inputs  for  very  long  (since  they  are 
concerned  with  leakage),  but  rather  immediately  share  their 
input  (as  if  it  were  a  “hot  potato”). 

Number  of  Parties  vs.  Security  Parameter. 

Notice  that  in  our  theorem,  the  security  parameter  is  poly- 
nomially  related  to  the  number  of  parties.  Namely,  the  se¬ 
curity  increases  with  the  number  of  parties.  Therefore,  this 
theorem  is  meaningful  only  when  the  number  of  parties  in 
the  MPC  protocol  is  large.  One  may  ask  whether  this  re¬ 
striction  on  the  number  of  parties  being  large,  or  the  re¬ 
striction  that  an  e- fraction  is  honest,  is  inherent,  or  whether 
it  is  simply  an  artifact  of  our  techniques.  Unfortunately, 
it  turns  out  that  this  restriction  cannot  be  removed  alto¬ 
gether.  In  particular,  one  can  prove  that  there  does  not 
exist  a  secure  leakage-resilient  two-party  computation  pro¬ 
tocol  in  our  model.1  Similarly,  one  can  show  that  there 
does  not  exist  a  secure  leakage-resilient  MPC  protocol  if  all 
the  parties  except  one  are  malicious.  Moreover,  jumping 
ahead,  in  Section  1.4  we  show  that  proving  this  theorem  for 
constant  number  of  parties,  implies  an  “only  computation 
leaks  (OCL)  compiler”  (without  leak-free  hardware)  that  has 
only  a  constant  number  of  sub-computations  (or  “modules”), 
which  is  an  interesting  open  problem  on  its  own.  We  refer 
the  reader  to  Section  1.4  for  details. 

Assumptions. 

In  our  construction,  we  rely  on  several  underlying  crypto¬ 
graphic  primitives,  including  a  fully  homomorphic  encryp¬ 
tion  (FHE)  scheme  [Gen09,  BGV11],  a  non-interactive  zero- 
knowledge  (NIZK)  proof-of-knowledge  system  [FLS90],  a  stan¬ 
dard  MPC  protocol  [GMW87],  an  equivocal  commitment 
scheme  [FS89] ,  a  weakly  leakage-resilient  MPC  protocol  [BGG+ 


1The  reason  is  the  following:  Assume  the  adversary  controls 
party  Pi.  In  this  case,  he  knows  the  entire  secret  state  Si 
of  Pi,  and  can  choose  his  leakage  function  L  to  depend  onsj: 
i.e.,  L=LS1.  Note  that  L  takes  as  input  the  secret  state  s 2 
of  P2,  and  thus  the  adversary  can  leak  any  (shrinking)  func¬ 
tion  g(si,  S2)  by  setting  LS1  (S2)  =  g(s  1,  S2).  But,  recall  that 
from  the  secret  states  (si,S2)  the  parties  can  compute  any 
function  of  the  original  inputs  (xi,X2).  Therefore,  the  func¬ 
tion  leaked  can  be  an  arbitrary  function  of  the  original  in¬ 
puts.  Clearly,  such  leakage  cannot  be  simulated  in  the  ideal 
world. 


and  an  LDS  compiler  [BCG+11]  (which  can  be  thought  of  as 
a  stronger  version  of  an  OCL  compiler  as  in  [JV10,  GR10, 
GR12]).  These  primitives  have  been  shown  to  exist  under 
various  standard  computational  intractability  assumptions, 
and  we  refer  the  reader  to  Section  2  for  details  on  these  prim¬ 
itives,  and  the  corresponding  assumptions.  We  note  however 
that  all  these  primitives,  excluding  FHE,  can  be  based  on 
the  DDH  assumption. 

The  use  of  FHE  in  our  construction  is  in  order  to  ensure 
the  number  of  parties  required  will  be  independent  of  the 
complexity  of  the  functions  computed  by  the  MPC  proto¬ 
col.2 

Applications. 

We  demonstrate  the  application  of  our  result  to  the  prob¬ 
lem  of  delegating  multi-party  computation  to  outside  servers. 
Generally,  the  setting  is  of  a  large  set  of  parties  who  need  to 
perform  a  joint  computation,  and  they  would  like  a  service 
(such  as  Amazon)  to  do  the  computation  for  them.  How¬ 
ever,  they  do  not  trust  any  one  server,  and  further  believe 
that  any  server  can  be  leaked  upon. 

Usually,  MPC  provides  a  solution  around  the  trust  prob¬ 
lem  by  using  several  servers,  as  follows:  Each  party  secret 
shares  her  input,  and  gives  one  share  to  each  server;  then 
the  servers  carry  out  the  desired  computation  by  running 
an  MPC  protocol;  finally,  one  argues  that  if  there  are  suf¬ 
ficiently  many  honest  parties,  then  security  is  guaranteed. 
However,  if  an  adversary  can  obtain  leakage  information 
from  the  honest  servers,  then  this  is  no  longer  true.  To  ar¬ 
gue  security  in  the  leaky  setting,  the  servers  will  need  to  run 
a  leakage-resilient  MPC  protocol.  Moreover,  if  the  servers 
compute  many  functions  on  the  secret  inputs,  then  they  will 
need  to  run  an  MPC  protocol  that  is  secure  against  con¬ 
tinual  leakage.  Let  us  demonstrate  three  examples  of  this 
setting. 

•  Electronic  election:  Say  an  electronic  election  among 
many  voters  is  to  be  held.  Clearly  running  an  MPC 
protocol  among  all  voters  is  prohibitive,  since  it  re¬ 
quires  interaction  between  every  two  voters.  Instead, 
the  MPC  protocol  is  run  by  a  proxy  of  n  servers.  Since 
these  servers  compute  on  very  sensitive  information, 
attackers  may  try  to  employ  various  side-channel  at¬ 
tacks  to  learn  this  information.  Thus,  to  ensure  the 
secrecy  of  the  individual  votes,  the  servers  should  run 
a  leakage-resilient  MPC  protocol. 

•  Medical  Data :  One  may  envision  a  huge  database  which 
contains  the  medical  data  of  every  patient  in  the  US. 
To  compute  any  global  statistic  on  this  data,  one  would 
not  want  to  put  complete  trust  in  any  single  database. 

,2We  emphasize  that,  while  FHE  immediately  solves  the  re¬ 
lated  problem  of  computing  on  encrypted  data,  FHE  does 
not  suffice  for  our  purposes.  To  illustrate,  suppose  the  par¬ 
ties  collectively  generate  a  public  key  pk  for  the  FHE  scheme, 
so  that  they  each  hold  a  secret  share  of  the  correspond¬ 
ing  secret  key,  and  then  each  publish  an  encryption  of  their 
input  Xi.  Then  for  any  efficiently  computable  function  /, 
they  can  easily  produce  an  encryption  of  the  desired  output, 
Encpk(/(a:)).  However,  the  challenge  is  (even  for  a  one-shot 
function  computation)  how  to  enable  the  parties  to  collec¬ 
tively  decrypt  this  ciphertext  and  reveal  /( x)  itself,  while 
simultaneously  ensuring  that  the  adversary  (who  can  cor¬ 
rupt  nearly  all  of  the  parties,  and  leak  on  all  the  rest)  is  not 
able  to  learn  any  information  on  the  xd s. 
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Instead,  it  is  distributed  to  n  different  databases.  Each 
time  they  need  to  compute  statistics  on  this  data,  they 
engage  in  an  MPC  protocol.  As  in  the  voting  example, 
since  these  databases  contain  very  sensitive  informa¬ 
tion,  an  adversary  may  try  to  obtain  this  information 
via  a  leakage  attack.  Thus,  to  ensure  security,  the 
databases  must  run  an  MPC  protocol  that  is  secure 
against  continual  leakage. 

•  Differential  Privacy.  In  the  area  of  differential  privacy, 
great  care  is  taken  to  ensure  that  the  data  of  individ¬ 
uals  is  protected.  However,  usually  it  is  assumed  that 
there  is  an  honest  curator,  and  that  the  people  in  the 
database  hand  their  secret  data  to  this  curator.  How¬ 
ever,  it  seems  likely  that  people  may  not  trust  any 
single  curator  with  highly  sensitive  information  (such 
as  whether  they  do  or  do  not  have  a  disease  which  may 
scare  off  life  insurance  providers).  Thus,  as  in  the  pre¬ 
vious  examples,  this  trusted  curator  can  be  replaced 
by  a  multitude  of  parties  of  which  only  a  small  frac¬ 
tion  is  assumed  to  be  honest.  Moreover,  if  these  par¬ 
ties  compute  on  the  database  using  a  leakage-resilient 
MPC  protocol,  then  security  is  guaranteed  even  if  all 
the  honest  parties  are  leaked  upon  (as  long  as  some 
t- fraction  of  the  honest  parties  are  not  fully  leaked 
upon). 

1.2  Related  Work 

Leakage-Resilient  Non-Interactive  Primitives. 

There  has  been  an  extensive  amount  of  research  on  leakage- 
resilient  cryptography  in  the  past  few  years.  Most  prior 
works  construct  specific  leakage-resilient  non-interactive  prim¬ 
itives,  such  as  leakage-resilient  encryption  schemes  and  leakage- 
resilient  signature  schemes  [DP08,  AGV09,  Pie09,  DKL09, 
ADW09,  NS09,  KV09,  DGK+10,  FKPR10,  ADN+10,  KP10, 
GR10,  JV10,  BG10,  BKKV10,  DP10,  DHLWlOa,  DHLWIOb, 
LRW11,  MTVY11,  BSW11,  LLW11,  DLWW11,  BCG+11]. 

Weakly  Leakage-Resilient  Interactive  Protocols. 

There  has  also  been  prior  work  on  the  problem  of  con¬ 
structing  leakage-resilient  interactive  protocols  [GJS11,  BCH11, 
BGK11,  DHP11,  BGG+11].  Garg  et.  al.  [GJS11]  present 
a  leakage-resilient  zero-knowledge  proof  system.  Bitansky 
et.  al.  [BCH11]  present  leakage-resilient  protocols  for  various 
functionalities  (such  as  secure  message  transmission,  obliv¬ 
ious  transfer,  and  commitments)  which  are  secure  against 
semi-honest  adversaries,  and  also  zero  knowledge,  in  the  UC 
framework.  Boyle  et.  al.  [BGK11]  present  a  leakage-resilient 
multi-party  coin  tossing  protocol.  Damgard,  Hazay,  and  Pa- 
tra  [DHP11]  present  a  general  leakage-resilient  two-party  se¬ 
cure  function  evaluation  protocol  for  NC1  functions  in  the 
semi-honest  setting.  In  their  model,  they  further  place  a 
restriction  that  the  adversary  must  leak  on  the  input  and 
randomness  of  an  honest  party’s  secret  state  independently. 
Finally,  very  recently  Boyle  et.  al.  [BGG+11]  constructed  a 
general  leakage-resilient  MPC  protocol  that  is  secure  in  the 
UC  setting. 

However,  all  the  results  in  the  interactive  setting  men¬ 
tioned  above  offer  a  weak  security  guarantee,  that  an  adver¬ 
sary  that  leaks  l  bits  in  the  real  world,  gains  at  most  i  bits 
of  secret  information  about  the  secret  inputs  of  the  parties. 
(An  exception  is  the  work  of  [BGK11]  that  considered  the 


specific  coin-tossing  functionality,  where  the  parties  do  not 
have  any  secret  inputs.)  Moreover,  the  I  bits  of  secret  in¬ 
formation  gained  is  an  arbitrary  (poly-size)  function  of  the 
joint  inputs  xi, ...  ,x„. 

Only  Computation  Leaks  Model. 

Finally,  we  mention  that  various  leakage  models  have  been 
considered  in  the  literature  that  restrict  the  leakage  func¬ 
tions  in  different  ways.  Most  notable  is  the  only  computa¬ 
tion  leaks  (OCL)  model  of  Micali  and  Reyzin  [MR04].  The 
axiom  of  this  model  is  that  secret  information  that  is  merely 
stored  in  memory  does  not  leak,  but  any  information  that 
is  used  during  a  computation  may  leak. 

Several  results  prove  security  for  specific  cryptographic 
primitives  in  the  OCL  leakage  model  [DP08,  Pie09,  FKPR10]. 
More  generally,  it  is  known  how  to  convert  any  circuit  into 
one  that  is  secure  in  the  OCL  model  [GR10,  JV10,  GR12]. 

In  particular,  a  recent  work  of  Goldwasser  and  Rothblum 
[GR12]  shows  how  to  do  this  unconditionally,  making  no 
intractability  assumptions,  and  without  resorting  to  secure 
leak-free  hardware,  unlike  the  previous  works.  Specifically, 
Goldwasser  and  Rothblum  construct  an  efficient  compiler 
that  takes  any  circuit  (with  some  secret  values  hard-wired) 
and  converts  it  into  a  leakage-resilient  one,  consisting  of  sev¬ 
eral  modules,  each  of  which  performs  a  specific  sub-computation. 
The  security  guarantee  is  that  an  adversary,  who  at  any 
point  of  time  throughout  the  computation  obtains  bounded 
leakage  from  the  “currently  active”  module,  does  not  learn 
any  more  information  than  having  black-box  access  to  the 
circuit.  We  will  use  a  variant  of  this  result  (namely,  an  LDS 
compiler;  see  Section  2.5)  to  construct  our  leakage-resilient 
MPC  scheme.  In  particular,  we  use  [GR12]  as  a  building 
block  in  our  construction.  See  Section  1.3  for  details. 

We  stress  that  our  result  does  not  use  the  OCL  assump¬ 
tion,  and  we  allow  the  adversary  to  compute  leakage  func¬ 
tions  on  everything  held  in  the  memory  of  each  party  (except 
during  the  preprocessing  phase  and  during  the  input  phase) . 

1.3  Overview  of  Our  Construction 

Starting  point  -  OCL  Compiler. 

As  discussed  earlier,  it  is  known  how  to  convert  any  circuit 
into  one  that  is  secure  in  the  only  computation  leaks  (OCL) 
model  (without  assuming  secure  hardware)  [GR12].  In  light 
of  this  result,  a  natural  first  idea  toward  realizing  our  goal 
of  constructing  leakage-resilient  MPC  protocols,  is  the  fol¬ 
lowing.  Let  Pi, . . .  ,Pn  denote  the  set  of  all  parties,  and  let 
Ug  be  a  universal  circuit  that  has  the  secret  input  vector  x 
of  all  the  parties  hard-wired  into  it  and  on  input  a  circuit  / 
outputs  Ug(f)  =  f{x).  Then,  very  roughly,  the  candidate 
MPC  protocol  works  as  follows.  First,  in  the  “leak  free” 
preprocessing  phase,  apply  the  OCL  compiler  of  [GR12]  on 
circuit  Ug  to  obtain  a  set  of  modules  Subi, . . . ,  Sub„  such 
that  on  any  input  f,  the  “compiled”  circuit  (consisting  of 
Subi, . . . , Subn)  outputs  Ug(f)  =  f(x).  Next,  in  the  com¬ 
putation  phase,  in  order  to  securely  compute  a  function  /, 
each  party  Pi  emulates  the  module  Sub;  (such  that  the  com¬ 
putation  of  Sub;  is  performed  by  party  Pi),  where  the  input 
of  Subi  is  /,  and  the  output  of  Sub„  is  the  protocol  out¬ 
put  f(x).  Finally,  in  the  update  phase,  the  parties  update 
their  respective  modules  by  running  the  update  algorithm 
of  the  OCL  compiler. 

Now,  assuming  that  we  can  reduce  (independent)  leakage 
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on  each  party  to  (independent)  leakage  on  its  correspond¬ 
ing  module,  one  may  hope  that  the  above  MPC  protocol 
achieves  the  desired  security  properties:  in  particular,  pri¬ 
vacy  of  the  inputs  that  were  “encoded”  in  the  preprocessing 
phase.  Unfortunately,  as  we  explain  below,  this  is  not  the 
case.  Nevertheless,  as  will  be  evident  from  the  forthcom¬ 
ing  discussion,  the  above  approach  serves  as  a  good  starting 
point  toward  realizing  our  goal. 

OCL  Compiler  its.  LR-MPC. 

There  are  two  main  differences  between  the  setting  of 
leakage-resilient  MPC  (LR-MPC)  and  an  OCL  compiler. 

1.  The  first  difference  is  perhaps  best  illustrated  by  the 
fact  that  an  OCL  compiler  only  guarantees  security 
against  an  external  adversary  who  can  obtain  leakage 
from  the  modules.  In  contrast,  in  the  setting  of  LR- 
MPC,  we  wish  to  guarantee  security  against  an  inter¬ 
nal  adversary,  who  may  also  corrupt  a  subset  of  the 
parties. 

More  concretely,  recall  that  the  security  of  the  OCL 
compiler  crucially  relies  on  the  assumption  that  an  ex¬ 
ternal  adversary  can  only  obtain  bounded,  independent 
leakage  on  each  module.  Further,  in  order  for  the  cor¬ 
rectness  of  the  compiled  circuit  to  hold,  each  module 
must  perform  its  computation  as  specified.  As  a  result, 
the  above  approach,  at  best,  yields  an  MPC  protocol 
that  is  secure  when  all  the  parties  are  honest  (not  even 
semi-honest)  but  can  be  leaked  upon  by  an  external 
adversary.  Specifically,  note  that  if  an  internal  adver¬ 
sary  can  corrupt  some  of  the  parties,  then  we  can  no 
longer  guarantee  correctness  of  computation,  and  even 
worse,  an  adversary  may  be  able  to  obtain  joint  leak¬ 
age  on  multiple  modules,  and  learn  the  entire  secret 
state  of  modules  corresponding  to  corrupted  parties, 
thus  violating  both  of  the  above  stated  requirements. 

2.  The  second  difference  between  the  OCL  compiler  and 
the  leakage-resilient  MPC  setting  is  that  in  the  OCL 
setting,  the  communication  between  the  modules  is  as¬ 
sumed  to  be  private  (but  may  be  leaked),  and  leakage 
is  assumed  to  happen  “in  order”;  i.e.,  only  a  module 
which  is  currently  computing  can  be  leaked  upon.  On 
the  other  hand,  in  the  leakage-resilient  MPC  setting, 
the  entire  communication  is  to  be  known  to  the  adver¬ 
sary,  and  moreover,  leakage  on  any  party  can  happen 
at  any  time. 

Emulating  Modules  via  Weakly  LR-MPC. 

Our  key  idea  to  circumvent  the  first  problem  stated  above 
is  to  emulate  each  Sub,  by  a  designated  set  of  parties  Si  = 
{Pi  1  i  ■  ■  -  >  Pi e  } !  instead  of  a  single  party  Pi .  More  concretely, 
we  secret  share  Sub;  between  Pt  l , . . . ,  Pit ,  who  then  run  a 
specific  MPC  protocol  II  to  jointly  emulate  the  (function¬ 
ality  of)  module  Sub;.  Now,  note  that  as  long  as  at  least 
one  of  the  parties  in  the  designated  set  Si  is  honest,  the 
emulation  of  Sub;  will  be  “correct”,  and  if  leakage  on  each 
honest  party  is  bounded,  then  we  can  expect  the  leakage  on 
the  module  Sub,  to  be  bounded  as  well.  Furthermore,  if  all 
of  the  designated  sets  Si  for  the  modules  Sub,  are  disjoint 
(i.e.,  no  party  is  contained  within  two  different  sets),  then 
the  leakage  on  each  module  will  be  independent,  as  required. 
However,  note  that  since  we  are  in  the  setting  of  leakage,  in 


order  for  the  above  idea  to  work,  we  need  the  MPC  protocol 
n  to  satisfy  some  form  of  leakage-resilience.  Thus,  a  priori, 
it  seems  that  we  haven’t  made  any  progress  at  all. 

Our  next  crucial  observation  is  that  protocol  n  in  fact 
only  needs  to  a  satisfy  a  weaker  form  of  leakage-resilience. 
Specifically,  we  only  require  that  leakage  on  the  secret  state 
of  each  party  Pit  executing  protocol  n  (to  emulate  Sub,) 
can  be  “reduced”  to  leakage  on  the  module  Sub;.  (This  suf¬ 
fices  since  the  OCL  compiler  allows  bounded  leakage  on  each 
module.)  More  generally,  this  translates  to  constructing  an 
MPC  protocol  such  that  the  leakage  on  the  secret  states  of 
the  honest  parties  in  the  real  world  can  be  reduced  to  leak¬ 
age  on  the  inputs  of  the  honest  parties  in  the  ideal  world. 
Fortunately,  an  MPC  protocol  (for  any  poly-size  function  /) 
satisfying  the  above  (weak)  form  of  leakage-resilience  was 
recently  constructed  by  Boyle  et  al.  [BGG+11].  Thus,  we 
are  able  to  employ  their  construction  here.3 

However,  the  result  of  Boyle  et  al.  is  only  for  determinis¬ 
tic  functions,  whereas  the  modules  in  the  OCL  construction 
compute  randomized  functions.  Thus,  we  need  to  extend  the 
weakly  leakage-resilient  MPC  to  hold  for  randomized  com¬ 
putations.  See  Section  2.6  (and  Section  2.6.1  in  particular) 
for  further  details. 

Using  an  LDS  Compiler  Instead  of  an  OCL  Compiler. 

Our  key  idea  to  circumvent  the  second  problem  stated 
above  is  to  use  an  LDS  compiler  instead  of  an  OCL  compiler. 
The  LDS  (leaky  distributed  system)  model  was  introduced 
in  [BCG+11],  and  it  strengthens  the  OCL  model  in  two  ways 
(which  are  exactly  the  strengthenings  we  need).  First,  in  the 
OCL  model,  leakage  occurs  in  a  certain  ordering  (based  on 
the  order  of  computation).  The  LDS  model  strengthens  the 
power  of  the  adversary,  by  allowing  him  to  leak  from  the 
sub-computations  in  any  order  he  wishes.  Moreover,  he  can 
leak  a  bit  from  Sub;,  then  leak  a  bit  from  Subj,  and  based 
on  the  leakage  values,  leak  again  on  Sub;.  So,  the  adversary 
controls  which  Sub;  he  wishes  to  leak  from.  In  addition, 
in  the  LDS  model,  the  adversary  can  view  and  control  the 
entire  communication  between  the  modules.  We  refer  the 
reader  to  Section  2.5  for  details  on  the  LDS  compiler. 

By  using  an  LDS  compiler,  as  opposed  to  an  OCL  compiler, 
we  get  around  the  second  problem  mentioned  above. 

Reducing  Number  of  Parties  via  FHE. 

An  important  issue  that  was  overlooked  in  the  previous 
discussion  is  the  following.  The  only  known  OCL  compiler 
that  does  not  rely  on  leak-free  hardware  [GR12],  and  thus 
the  only  known  LDS  compiler  without  leak- free  hardware, 
suffers  from  the  drawback  that  the  number  of  modules  in 
the  “compiled”  circuit  is  linear  in  the  size  of  the  original 
circuit.  As  a  result,  when  we  apply  the  LDS  compiler  on  Ug, 
whose  size  grows  with  \x\,  the  number  of  resultant  modules 
is  more  than  the  number  of  parties!  Thus,  a  priori,  it  is  not 
even  clear  how  to  realize  the  above  approach. 


3 At  this  point,  an  advanced  reader  may  question  whether 
the  result  of  Boyle  et  al.  [BGG+11],  in  conjunction  with 
a  leakage-resilient  secret  sharing  scheme,  directly  yields  a 
leakage-resilient  MPC  protocol  in  our  model.  Unfortunately, 
this  is  not  the  case  since  the  simulator  of  Boyle  et  al.  requires 
joint  leakage  on  the  honest  party  inputs,  even  when  the  real 
world  adversary  makes  disjoint  leakage  queries  on  the  secret 
states  of  honest  parties.  We  refer  the  reader  to  Section  1.4 
for  more  details. 
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In  order  to  resolve  this  above  problem,  we  make  crucial 
use  of  fully  homomorphic  encryption  (FHE)  in  the  following 
manner.  Instead  of  simply  applying  the  LDS  compiler  to 
Ug,  we  now  first  compute  a  key  pair  (pk,sk)  for  an  FHE 
scheme,  and  then  apply  the  LDS  compiler  to  the  decryption 
circuit  DecSk(-)  with  the  secret  key  sk  hardwired.  Note  that 
the  number  of  resultant  modules  is  now  independent  of  the 
number  of  parties.  Now,  in  a  non-interactive  input  phase 
(that  is  also  “leak- free”) ,  the  parties  P  each  encrypt  their 
respective  inputs  Xi  under  the  public  key  pk,  and  publish 
the  resulting  ciphertexts  x%.  Then,  whenever  the  parties 
wish  to  compute  a  functionality  /  over  their  inputs,  they 
homomorphically  evaluate  yf  =  Evalpk((a;i, ...,  xn),  /),  and 
collectively  evaluate  the  compiled  decryption  circuit  on  the 
value  yf  in  the  manner  described  above. 

We  note  that  the  use  of  FHE  allows  us  to  obtain  the  de¬ 
sired  property  that  the  preprocessing  phase  is  independent 
of  the  inputs  and  functions  to  be  computed,  since  in  this 
phase  a  key  pair  (pk,  sk)  is  generated  and  the  LDS  compiler 
is  applied  to  the  corresponding  decryption  circuit  DecSk(-). 
In  addition,  the  input  phase  is  non-interactive,  since  in  this 
phase  the  parties  simply  compute  and  send  an  encryption  of 
their  inputs. 

Missing  Pieces. 

A  few  technical  issues  still  remain  undiscussed.  For  exam¬ 
ple,  it  is  not  immediately  clear  how  to  choose  the  designated 
sets  of  parties  Si  such  that  at  least  one  of  the  parties  in 
each  set  Si  is  honest,  and  each  set  .S’,  is  independent.  Very 
roughly,  to  address  this  problem,  we  employ  (an  adapted 
version  of)  the  committee  election  protocol  of  Feige  [Fei99] 
to  divide  the  parties  into  several  committees,  one  for  each 
module.  Then,  by  a  careful  choice  of  parameters,  we  are 
able  to  obtain  the  desired  guarantees.  We  refer  the  reader 
to  the  technical  sections  for  more  details. 

1.4  Future  Directions 

LR-MPC  for  Constant  Number  of  Parties. 

Perhaps  the  most  interesting  open  question  left  from  this 
work  is  to  construct  a  leakage-resilient  MPC  protocol  for 
constant  number  of  parties.  We  note  that  such  a  result  (even 
if  we  only  consider  adversaries  that  leak,  but  do  not  corrupt 
any  party)  will  imply  the  following  interesting  corollary:  The 
existence  of  an  efficient  compiler  that  converts  any  circuit 
into  a  leakage-resilient  circuit  that  is  secure  in  the  “only 
computation  leaks”  (OCL)  model  with  constant  number  of 
modules  (and  without  assuming  leak- free  hardware).  We 
refer  the  reader  to  Section  2.5  for  details. 

To  see  this  implication,  consider  such  a  leakage-resilient 
MPC  protocol.  Let  (an  arbitrary)  party  Pi  take  as  his  se¬ 
cret  input  the  secret  circuit  C  to  be  compiled,  and  the  other 
parties  take  no  inputs.  After  the  leak-free  preprocessing 
stage  (and  the  leak- free  input  stage),  each  party  P;  holds  a 
secret  state  St.  We  think  of  each  party  Pi  as  being  a  mod¬ 
ule  Sub;  in  the  compiled  circuit.  To  evaluate  the  circuit  C 
on  (public)  input  x,  the  modules  carry  out  a  leakage-resilient 
MPC  computation  of  the  universal  function  Ux,  that  on  in¬ 
puts  {sj,  which  form  some  sort  of  secret-sharing  of  C,  out¬ 
puts  C(x).  Since  the  OCL  model  allows  leakage  on  each 
module  separately,  this  corresponds  to  allowing  leakage  on 
each  party  separately,  which  according  to  our  definition  of 


security  gives  no  information  about  the  secret  C  beyond  the 
output  value  C(x). 

Weakly  Leakage-Resilient  MPC  with  Disjoint  Leak¬ 
age. 

Another  interesting  open  question  is  to  construct  a  leakage- 
resilient  MPC  protocol  without  assuming  any  leak-free  stages, 
and  requiring  the  following  weakened  security  definition:  For 
each  “real  world”  adversary  that  makes  i  leakage  queries, 
where  each  leakage  query  is  applied  to  the  secret  state  of 
a  single  honest  party,  there  exists  a  simulator  in  the  “ideal 
world”  that  makes  at  most  I  leakage  queries,  where  each 
leakage  query  is  applied  to  the  input  of  a  single  honest  party. 

We  note  that  the  recent  result  of  [BGG+11]  allowed  the 
adversary  in  the  “real  world”  to  make  leakage  queries  on  the 
joint  secret  state  of  all  the  parties,  and  allowed  the  simu¬ 
lator  in  the  “ideal  world”  to  make  leakage  queries  that  are 
a  function  of  all  the  inputs  of  the  honest  parties.  Unfortu¬ 
nately,  their  simulator  requires  joint  leakage  on  the  honest 
party’s  inputs  even  in  the  case  where  the  adversary  only 
makes  disjoint  leakage  queries. 

We  next  show  that  such  a  leakage-resilient  MPC  protocol, 
where  the  leakage  in  the  real  world  and  in  the  ideal  world  is 
made  on  each  party  separately,  would  imply  a  result  similar 
to  ours,  which  allows  a  leak-free  preprocessing  stage,  but 
considers  a  strong  security  guarantee.  Intuitively,  in  the 
leak-free  preprocessing  stage,  the  parties  will  secret  share 
their  inputs  via  a  secret  sharing  scheme  that  is  resilient  to 
continual  leakage.  Such  a  scheme  was  recently  presented  by 
Dodis  et.  al.  [DLWW11].  Then,  any  time  the  parties  wish 
to  compute  a  function  /  of  their  secret  inputs,  they  will  run 
the  weak  leakage-resilient  MPC  protocol.  Security  follows 
from  the  fact  that  the  adversary  only  gains  leakage  from  the 
secret  share  of  each  party  separately,  and  from  the  fact  that 
the  secret-sharing  scheme  is  resilient  to  continual  leakage  on 
each  of  its  shares. 

LR-MPC  with  Non-Interactive  Preprocessing. 

Finally,  an  interesting  open  question  that  is  left  by  this 
work,  is  to  construct  a  leakage-resilient  MPC  protocol  with¬ 
out  the  initial  leak-free  preprocessing  stage,  but  only  with 
the  leak-free  non-interactive  input  stages. 

2.  PRELIMINARIES 

2.1  Non-Interactive  Zero  Knowledge 

Definition  2.1.  [FLS90,  BFM88,  BSMP91]: 
n  =  (Gen,P,V,S  =  (5crs,  Sproof))  is  an  efficient  adaptive 
NIZK  proof  system  for  a  language  L  £  NP  with  witness 
relation  1Z  if  Gen,  P,  V,  <Scrs,  Sproof  are  all  ppt  algorithms,  and 
there  exists  a  negligible  function  p  such  that  for  all  k  the 
following  three  requirements  hold. 

•  Completeness:  For  all  x,w  such  that  R(x,w)  =  1, 
and  for  all  strings  crs  <—  Gen(lfe), 

V(crs,  x,  P(x,  w,  crs))  =  1. 

•  Adaptive  Soundness:  For  all  adversaries  A,  if  crs  «— 
Gen(lfc)  is  sampled  uniformly  at  random,  then  the  prob¬ 
ability  that  A(crs)  will  output  a  pair  (x,  n)  such  that 
x  f  L  and  yet  V(crs,  x,n)  =  1,  is  at  most  p(k). 
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•  Adaptive  Zero-Knowledge:  For  all  ppt  adversaries 

-4, 

|  Pr[E><P^(fc)  =  1]  -  Pr[Exp^(/c)  =  1]|  <  p.(k), 
where  the  experiment  Exp^(fc)  is  defined  by: 
crs  <—  Gen(lfc) 

Return  APtcrs'  ’  *(crs) 

and  the  experiment  Exp))  (A;)  is  defined  by: 

(crs,  trap)  t—  5crs(lfc) 

Return  AS  *crs,trap'  '  *(crs), 
where  S'( crs,  trap,  x,  w )  =  Sproof (crs,  trap,*). 

We  next  define  the  notion  of  a  NIZK  proof  of  knowledge. 

Definition  2.2.  Let  II  =  (Gen,  P,  V,S  =  (Scrs,Sproof))  be 
an  efficient  adaptive  NIZK  proof  system  for  an  NP  language 
L  £  NP  with  a  corresponding  NP  relation  IZ.  We  say  that  II 
is  a  proof-of-knowledge  if  there  exists  a  ppt  algorithm  E 
such  that  for  every  ppt  adversary  A, 

Pr[A(crs)  =  (x,7r)  and  E( crs,  trap,  x,  7r)  =  w* 

s.t.  V(crs,  x,  n)  =  1  and  ( x,w *)  (t  IZ]  =  liegl(fc), 

where  the  probabilities  are  over  (crs,  trap)  t—  5crs(lfc),  and 
over  the  random  coin  tosses  of  the  extractor  algorithm  E. 

Lemma  2.3  ([FLS90]).  Assuming  the  existence  of  en¬ 

hanced  trapdoor  permutations,  there  exists  an  efficient  adap¬ 
tive  NIZK  proof  of  knowledge  for  all  languages  in  NP. 

2.2  Equivocal  Commitments 

Informally  speaking,  a  bit-commitment  scheme  is  equivo¬ 
cal  if  it  satisfies  the  following  additional  requirement.  There 
exists  an  efficient  simulator  that  outputs  a  fake  commit¬ 
ment  such  that:  (a)  the  commitment  can  be  decommitted 
to  both  0  and  1,  and  (b)  the  simulated  commitment  and 
decommitment  pair  is  indistinguishable  from  a  real  pair. 

We  now  formally  define  the  equivocability  property  for  bit- 
commitment  schemes  in  the  CRS  model. 

The  following  definition  is  adapted  from  [FS89,  CI098]. 

Definition  2.4.  A  non-interactive  bit- commitment  scheme 
(Gen,  Com,  Rec)  in  the  CRS  model  is  said  to  be  an  equivo¬ 
cal  bit-commitment  scheme  in  the  CRS  model  if  there  exists 
a  PPT  simulator  algorithm  S  =  (Scrs,Scom)  such  that  <Scrs 
takes  as  input  the  security  parameter  lfc  and  outputs  a  CRS 
and  trapdoor  pair,  (crs,  trap);  and  Scom  takes  as  input  such 
a  pair  (crs,  trap)  and  generates  a  tuple  (Cjd0^1)  of  a  com¬ 
mitment  string  c  and  two  decommitments  d°  and  d 1 *  (for  0 
and  1 ),  such  that  the  following  holds. 

1.  For  every  b  £  {0, 1}  and  every  (c,  d° ,  d1)  <—  <Scom(crs,  trap), 
it  holds  that 

Rec(crs,  c,  db)  =  b. 

2.  For  every  b  £  {0, 1},  the  random  variables 

{(crs,  c,  d)  :  crs  t—  Gen(lfc),  (c,  d)  t—  Com(crs,  6)} 


and 

{(crs,  c,db)  :  (crs,  trap)  <—  <Scrs(lfe), 

(c, d0^1)  <—  iScom (crs,  trap)} 
are  computationally  indistinguishable. 

Reusable  CRS. 

Note  that  the  simulator  algorithms  <Scrs  and  <Scom  are  de¬ 
scribed  as  separate  algorithms  in  the  Definition  2.4  to  high¬ 
light  that  it  is  not  necessary  to  create  a  separate  CRS  for 
every  equivocal  commitment,  i.e.,  the  CRS  is  reusable.  In 
this  case,  Definition  2.4  can  be  extended  in  a  straightfor¬ 
ward  manner  to  consider  indistinguishability  of  an  honestly 
generated  tuple  consisting  of  a  crs  and  polynomially  many 
commitment-decommitment  pairs,  from  a  simulated  tuple. 

Lemma  2.5  ([CLOS02]).  Assuming  the  existence  of  one¬ 

way  functions,  there  exists  an  equivocal  bit  commitment  in 
the  (reusable)  CRS  model. 

String  Equivocal  Commitments. 

For  our  purposes,  we  actually  use  string  equivocal  com¬ 
mitment  schemes.  Note  that  such  a  scheme  can  be  easily 
constructed  by  simply  repeating  the  above  bit  commitment 
scheme  in  parallel.  More  specifically,  a  commitment  to  a 
string  of  length  n  is  a  vector  (ci, ...,  c„),  with  corresponding 
decommitment  vector  (di, ...,  d„).  The  simulator  algorithm 
<Scom  produces  a  commitment  vector  and  a  pair  of  decommit¬ 
ment  vectors  d°  =  (d?,...,d°),  d1  =  (d\, ...,  dh).  A  decom¬ 
mitment  to  any  particular  bit  string  a  =  (a,...,a„)  can  be 
formed  by  selecting  the  appropriate  decommitment  values 
(df1 , ... ,  dfp).  We  denote  this  vector  as  da. 

2.3  The  Elect  Protocol 

As  part  of  our  protocol,  we  elect  disjoint  committees,  and 
need  the  guarantee  that  (with  overwhelming  probability  in 
k)  the  number  of  parties  in  each  committee  is  of  the  correct 
approximate  size,  and  that  a  constant  fraction  of  each  com¬ 
mittee  is  honest.  Such  a  protocol  can  be  obtained  using  the 
technique  of  Feige’s  lightest  bin  committee  election  protocol 
[Fei99]. 

Feige’s  protocol  selects  a  single  committee  of  approximate 
size  k  out  of  n  parties  by  having  each  party  choose  and 
broadcast  a  random  bin  in  [{{]  .4  The  elected  committee  £ 
consists  of  the  parties  in  the  lightest  bin.  Feige  demonstrated 
that  no  set  of  malicious  parties  M  C  [n]  of  size  (1  —  e)n 
can  force  a  committee  £  to  be  elected  for  which  \£  n  M\  is 
significantly  greater  than  (1  —  e)k,  by  using  a  Chernoff  bound 
to  argue  that  each  bin  contains  nearly  ek  honest  parties. 

Suppose  we  wish  to  elect  m  disjoint  committees,  each  of 
size  approximately  k,  where  k  is  the  security  parameter, 
and  where  the  number  of  parties  n  is  at  least  n  >  mk2.  We 
consider  the  following  protocol,  Elect.  Each  party  samples 
a  random  value  Xi  t—  [?].  The  resulting  committees  are 
precisely  the  m  lightest  bins.  Namely,  suppose  the  lightest 
bin  is  £i,  the  second  lightest  bin  is  £2,  etc.  Then  £j  =  {P,  : 
Xi  =  tj},  for  j  =  1, ...,  m. 

4In  Feige’s  original  work  [Fei99],  he  considered  the  specific 
case  of  k  =  logn.  For  our  purpose,  we  need  to  elect  com¬ 
mittees  whose  size  depends  on  the  security  parameter  (to 
achieve  negligible  error),  and  thus  we  consider  general  k. 
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3.  We  have 


Lemma  2.6.  Let  n  >  mk2 ,  and  let  M  C  [n\  be  any  sub¬ 
set  of  corrupted  parties  of  size  (1  —  t)n.  Then  the  protocol 
Elect  yields  a  collection  of  m  disjoint  committees  {£J}’?L1 
such  that  the  following  properties  simultaneously  hold  with 
probability  >  1  —  e~@^ : 

1-  Vj,  §fc<  \£i\  <  (1  +  o(l))*, 
g.  vj,  Hjgp  <  1  -  f . 

The  proof  of  Lemma  2.6  is  very  similar  to  that  of  the 
disjoint  committee  election  protocol  of  [BGK11].  We  refer 
the  reader  to  the  full  version  for  a  complete  analysis. 

We  remark  that  a  constant  fraction  of  honest  parties  in 
the  elected  committees  will  be  needed  for  the  weakly  leakage- 
resilient  MPC  for  randomized  functionalities  (see  discussion 
in  Section  2.6.1). 

2.4  Fully  Homomorphic  Encryption 

A  fully  homomorphic  public-key  encryption  scheme  (FHE) 
consists  of  algorithms  (Gen,  Enc,  Dec,  Eval).  The  first  three 
are  the  standard  key  generation,  encryption  and  decryption 
algorithms  of  a  public  key  scheme.  The  additional  algorithm 
Eval  is  a  deterministic  polynomial-time  algorithm  that  takes 
as  input  a  public  key  pk,  a  ciphertext  *  «—  Encpk  (x)  and 
a  circuit  C,  and  outputs  a  new  ciphertext  c  =  Evalpk  ( x,C ) 
such  that  DecSk  (c)  =  C  (x),  where  sk  is  the  secret  key  corre¬ 
sponding  to  the  public  key  pk.  It  is  required  that  the  size  of 
c  depends  polynomially  on  the  security  parameter  and  the 
length  of  the  output  C  (x),  but  is  otherwise  independent  of 
the  size  of  the  circuit  C. 

Several  such  FHE  schemes  have  been  constructed,  start¬ 
ing  with  the  seminal  work  of  Gentry  [Gen09] .  Recently,  new 
schemes  were  presented  by  Brakerski,  Gentry  and  Vaikun- 
tanathan  [BV11,  BGV11]  that  achieve  greater  efficiency  and 
are  based  on  the  LWE  assumption.  We  note  that  in  these 
schemes,  the  size  of  the  public  key  depends  linearly  on  the 
depth  of  the  functions  being  evaluated.  As  a  result,  the  com¬ 
plexity  of  our  preprocessing  phase  depends  on  the  maximum 
depth  of  functions  that  we  would  like  to  compute.  This  is¬ 
sue  can  be  avoided  altogether  if  we  assume  that  the  schemes 
of  [BV11,  BGV11]  are  circular  secure. 

For  our  construction,  we  need  an  FHE  scheme  with  the 
following  additional  property,  which  we  refer  to  as  certifia- 
bility.  Loosely  speaking,  an  FHE  scheme  is  said  to  be  cer¬ 
tifiable,  if  there  is  an  efficient  algorithm  that  takes  as  input 
a  random  string  r  and  tests  whether  it  is  “good”  to  use  r 
as  randomness  in  the  encryption  algorithm  Enc.  More  pre¬ 
cisely,  a  certifiable  FHE  scheme  is  associated  with  a  set  R, 
which  consists  of  all  the  “good”  random  strings,  such  that  (1) 
a  random  string  is  in  R  with  overwhelming  probability;  and 
(2)  The  Eval  algorithm  and  the  decryption  algorithm  Dec 
are  correct  on  ciphertexts  that  use  randomness  from  R  to 
encrypt.  A  formal  definition  follows. 

Definition  2.7.  A  FHE  scheme  is  said  to  be  certifiable  if 
there  exists  a  subset  R  C  {0,  l}polyW  of  possible  randomness 
values  for  which  the  following  hold. 

1.  Pr[r  £  R]  =  1  —  negl(fc),  where  the  probability  is  over 
uniformly  sampled  r  <—  {0,  i}poly(,s). 

2.  There  exists  an  efficient  algorithm  Ar  such  that  An(r)  = 
1  for  r  £  R  and  0  otherwise. 


V&r, ...,  b„  €  {0, 1},  Vrr, ...,  r„  €  R, 

V  poly-size  circuits  f  :  {0,  l}n  — >  {0, 1} 
Decsk(Evalpk(/,ci,...,c„))  =  f(bi,...,b„), 
where  a  =  Encpk(6;;ri) 

=  1  —  negl(fc). 

We  note  that  this  property  holds,  for  example,  for  the 
schemes  of  [BV11,  BGV11].  For  the  readers  who  are  familiar 
with  these  constructions,  the  set  of  “good”  randomness  R 
corresponds  to  encrypting  with  sufficiently  “small  noise.” 

2.5  Leaky  Distributed  Systems 

One  of  the  tools  in  our  construction  is  a  compiler  that 
converts  any  circuit  C  (with  secrets)  into  a  collection  of  sub¬ 
computations  (or  “modules”)  Subi, ...,  Subm,  whose  sequen¬ 
tial  evaluation  evaluates  the  circuit  C,  and  which  is  secure  in 
the  leaky  distributed  systems  (LDS)  model,  a  model  recently 
introduced  by  Bitansky  et.  al.  [BCG+11]. 

Before  we  describe  this  model  and  compiler,  let  us  re¬ 
call  prerequisite  prior  works  [JV10,  GR10,  GR12],  which 
construct  such  a  compiler  in  the  “only  computation  leaks” 
(OCL)  model.  In  particular,  these  works  demonstrate  a 
compiler  that  takes  a  circuit  C  and  converts  it  into  a  cir¬ 
cuit  C'  consisting  of  m  disjoint,  ordered  sub-computations 
Subi, . . . ,  Subm,  where  the  input  to  sub-computation  Subi 
depends  only  on  the  output  of  earlier  sub-computations. 
Each  of  these  sub-computations  Subi  is  modeled  as  a  non- 
uniform  randomized  poly-size  circuit,  with  a  “secret  state.” 
It  was  proven  that  no  information  about  the  circuit  C  is 
leaked,  even  if  each  of  these  sub-computations  is  leaky.  More 
specifically,  the  adversary  can  request  to  see  a  bounded- 
length  function  of  each  Sub,  (separately),  and  these  leakage 
functions  may  be  adaptively  chosen. 

These  works  also  consider  the  continual  leakage  setting, 
where  leakage  occurs  over  and  over  again  in  time.  In  this 
setting,  the  secret  state  of  each  Sub,  must  be  continually 
updated  or  refreshed.  To  this  end,  after  each  computation, 
all  the  Sub,’s  update  their  secret  state  by  running  a  ran¬ 
domized  protocol  Update.  We  stress  that  leakage  may  occur 
during  each  of  these  update  protocols,  and  that  such  leakage 
may  be  a  function  of  both  the  current  secret  state  and  the 
randomness  used  by  the  Update  procedure. 

In  this  work,  we  use  such  a  compiler  which  is  secure  in 
the  LDS  model  [BCG+11].  The  LDS  model  strengthens  the 
OCL  model  in  two  ways.  First,  in  the  LDS  model,  the  adver¬ 
sary  is  allowed  to  view  and  control  the  entire  communication 
between  modules',  in  contrast,  the  OCL  model  assumes  the 
communication  between  modules  is  kept  secret  from  the  ad¬ 
versary,  and  that  the  messages  are  generated  honestly.  Sec¬ 
ond,  in  the  LDS  model,  the  adversary  may  leak  adaptively 
on  each  module  in  any  order.  For  instance,  the  adversary 
may  leak  a  bit  from  Sub,,  then  a  bit  from  Subj,  and  based 
on  the  results,  leak  again  on  Sub;.  In  contrast,  the  OCL 
model  only  allows  the  adversary  to  request  leakage  infor¬ 
mation  from  the  module  that  is  currently  computing.  In 
particular,  this  restricts  the  adversary  to  leak  on  modules  in 
order  (i.e.,  first  leak  from  Subi,  then  from  Sub2,  etc.). 

Remark  2.8.  For  the  sake  of  simplicity  of  notation,  we 
assume  (without  loss  of  generality)  that  the  module  Sub,  only 
sends  messages  to  Sub;+i  (where  we  define  Subm+i  =  Subi). 
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Moreover,  we  assume  for  simplicity  that  during  each  com¬ 
putation,  where  C  is  evaluated  on  some  input  v,  each  mod¬ 
ule  Sub,  sends  a  single  message  to  Subi+i,  and  that  Subm 
does  not  send  a  message  to  any  module,  and  simply  out¬ 
puts  C(v).  This  assumption  indeed  holds  for  the  LDS  com¬ 
piler  of  [BCG+ 11]  which  is  based  on  [GR12].  We  note  that 
this  assumption  is  not  needed  for  our  result  to  be  correct,  but 
it  simplifies  the  notation. 

At  the  end  of  each  time  period,  the  modules  “refresh”  their 
inner  state  by  applying  a  (possibly  distributed)  Update  pro¬ 
cedure,  after  which  they  erase  their  previous  state.  As  with 
the  rest  of  the  computation,  the  Update  procedure  is  also 
exposed  to  leakage,  and  the  adversary  controls  the  exchange 
of  messages  during  the  update. 

Definition  2.9  (Leaky  Distributed  Systems  (LDS)). 
In  a  A-bounded  LDS  attack,  a  PPT  adversary  A  interacts 
with  modules  (Subi, ...,  Subm)  by  adaptively  performing  any 
sequence  of  the  following  actions: 

•  Interact)},  msg):  For  j  £  [m],  send  the  message  msg  to 
the  j  ’th  submodule,  Subj,  and  receive  the  corresponding 
reply.  Note  that  the  modules  are  message-driven:  they 
become  activated  when  they  receive  a  message  from  the 
attacker,  at  which  point  they  compute  and  send  the 
result,  and  then  wait  for  additional  messages. 

•  Leak (j,L):  For  j  £  [m]  and  a  poly-size  leakage  func¬ 
tion  L  :  {0, 1 } *  — >  {0,1},  if  strictly  fewer  than  X 
queries  of  the  form  Leak)},  •)  have  been  made  so  far,  A 
receives  the  evaluation  of  L  on  the  secret  state  of  the 
j ’th  submodule,  Subj.  Otherwise,  A  receives  ±. 

In  a  continual  A-LDS  attack,  the  adversary  A  repeats  a  X- 
bounded  LDS  attack  polynomially  many  times,  where  between 
every  two  consecutive  attacks  the  secret  states  of  the  modules 
are  updated.  The  update  is  done  by  running  a  distributed 
Update  protocol  among  all  the  modules.  We  also  allow  A  to 
leak  during  the  Update  procedure,  where  the  leakage  function 
takes  as  input  both  the  current  secret  state  of  Sub  j  and  the 
randomness  it  uses  during  the  Update  procedure. 

We  denote  by  time  period  t  of  submodule  Sub,,-  the  time 
period  between  the  beginning  of  the  (t—  1)  ’st  Update  procedure 
and  the  end  of  the  t’th  Update  procedure  in  that  submodule 
(note  that  these  time  periods  are  overlapping ).5  We  allow 
the  adversary  A  to  leak  at  most  X  bits  from  each  Subj  during 
each  (local)  time  period. 

We  refer  to  such  an  adversary  A  as  an  A-LDS  adver¬ 
sary,  and  denote  the  output  of  A  in  such  an  attack  by  A[X  : 

Subi, ...,  Subm  :  Update], 

We  say  that  the  collection  of  modules  (Subi, ....  Subm)  is 
X-secure  in  the  LDS  model  if  for  any  A-LDS  adversary  A 
interacting  with  the  modules  as  described  above,  there  exists 
a  PPT  simulator  who  simulates  the  output  of  A. 

Definition  2.10  (LDS-Secure  Circuit  Compiler). 

We  say  that  ( C ,  Update)  is  a  A-LDS  secure  circuit  compiler  if 
for  any  circuit  C  and  (Subi, ...,  Subm)  «—  C(C),  the  following 
two  properties  hold: 

intuitively,  time  period  t  is  the  entire  time  period  where  the 
t’th  updated  secret  states  can  be  leaked.  Note  that  during 
the  t’th  Update  procedure,  both  the  (t  —  l)’st  and  the  t’th 
secret  state  may  leak,  which  is  why  the  time  periods  are 
overlapping. 


1.  Correctness:  The  collection  of  modules  (Subi,  ...,Subm) 
maintain  the  functionality  of  C  when  all  the  messages 
between  them  are  delivered  intact. 

2.  Secrecy:  For  every  PPT  A-LDS  adversary  A  there 
exists  a  PPT  simulator  S,  such  that  for  any  ensemble 
of  poly-size  circuits  {Cn}  and  any  auxiliary  input  z  £ 
{0,l}poly(n>: 

A(z)\X  :  Subi, Subm  :  Update]  > 

J  n€N,CGCn 

«c{scMc|)} 

t  J  neN,cec„ 

where  S  only  queries  C  on  the  inputs  A  sends  to  the 
first  module,  Subi. 

Theorem  2.11  ([BCG+11]).  Assuming  the  existence  of 

a  non- committing  encryption  scheme  and  a  A-OCL  circuit 
compiler  which  compiles  a  circuit  C  to  m(|C|)  modules,  there 
exists  a  A-LDS  secure  circuit  compiler  ( C ,  Update)  for  which 
C(C )  has  the  same  number  of  modules,  m(|C|). 

We  note  that  there  are  known  constructions  of  non-committing 
encryption  schemes  based  on  standard  cryptographic  as¬ 
sumptions,  such  as  the  DDH  assumption  and  the  RSA  as¬ 
sumption.  Moreover,  a  very  recent  work  of  Goldwasser  and 
Rothblum  [GR12]  constructs  a  A-OCL  circuit  compiler  (un¬ 
conditionally)  with  the  following  properties. 

Theorem  2.12  ([GR12]).  For  any  security  parameter 

k,  there  (unconditionally)  exists  a  A-OCL  secure  circuit  com¬ 
piler  for  X  =  fl(k),  that  takes  any  circuit  C  into  a  collection 
o/0(|C|)  modules,  each  of  size  0(k3). 

Remark  2.13  (Folklore).  If  one  additionally  assumes 
the  existence  of  a  fully  homomorphic  encryption  (FHE)  scheme, 
then  there  exists  a  A-LDS  secure  circuit  compiler  ( C ,  Update) 
such  that  for  every  poly-size  circuit  C ,  the  number  of  out¬ 
put  sub- computations  Subi, ...,  Subm  generated  by  C  is  poly¬ 
nomial  in  the  security  parameter  of  the  FHE  scheme  and 
independent  of  the  size  of  C . 

2.6  Weakly  Leakage-Resilient  MPC 

Our  construction  of  a  leakage-resilient  MPC  protocol  in 
the  preprocessing  model  (defined  in  Section  3.2),  uses  as  a 
building  block  an  MPC  protocol  that  is  leakage-resilient  with 
respect  to  a  weaker  notion  of  secrecy  (where  the  ideal  world 
is  weakened),  as  was  recently  constructed  in  [BGG+11].  For 
lack  of  a  better  name,  we  call  it  weakly  leakage-resilient 
MPC.  Below,  we  recall  the  security  model  from  [BGG+11]. 

Very  briefly,  the  security  definition  in  [BGG+11]  follows 
the  ideal/real  world  paradigm.  They  consider  a  real-world 
execution  without  a  leak-free  preprocessing  stage,  though 
they  do  assume  the  existence  of  an  honestly  generated  CRS.f> 

The  adversary,  in  addition  to  corrupting  a  number  of  par¬ 
ties,  can  obtain  leakage  information  on  the  joint  secret  states 
of  the  honest  parties  at  any  point  during  the  protocol  execu¬ 
tion.  Leakage  queries  may  be  adaptively  chosen  based  on  all 
information  received  up  to  that  point  (including  responses 
to  previous  leakage  queries),  and  are  computed  on  the  joint 
secret  states  of  all  the  honest  parties. 

6The  CRS  is  simply  a  truly  random  string,  and  thus,  could 
be  generated  in  a  leaky  environment. 
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Note  that  one  cannot  hope  to  realize  the  standard  ideal 
world  security  in  the  presence  of  such  leakage  attacks. To  this 
end,  [BCG- 11]  consider  an  ideal  world  experiment  where  in 
addition  to  learning  the  output  of  the  function  evaluation, 
the  simulator  is  also  allowed  to  request  leakage  on  the  inputs 
of  all  the  honest  parties  jointly.  Below,  we  describe  the 
ideal  and  real  world  experiments  and  give  the  formal  security 
definition  from  [BGG+11]. 

Ideal  World. 

We  first  describe  the  ideal  world  experiment,  where  n  par¬ 
ties  Pi, ...  ,Pn  interact  with  an  ideal  functionality  for  com¬ 
puting  a  function  /.  An  adversary  may  corrupt  any  subset 
McPof  the  parties.  As  in  the  standard  MPC  ideal  world 
experiment,  the  parties  send  their  inputs  to  the  ideal  func¬ 
tionality  and  receive  the  output  of  /  evaluated  on  all  inputs. 
The  main  difference  from  the  standard  ideal  world  experi¬ 
ment  is  that  the  adversary  is  also  allowed  to  make  leakage 
queries  on  the  inputs  of  the  honest  parties.  Such  queries  are 
evaluated  on  the  joint  collection  of  all  parties’  inputs.  The 
ideal  world  execution  proceeds  as  follows. 

Inputs:  Each  party  Pi  obtains  an  input  Xi.  The  adversary 
is  given  auxiliary  input  z  and  selects  a  subset  of  parties 
M  C  V  to  corrupt. 

Sending  inputs  to  trusted  party:  Each  honest  party  Pi 
sends  its  input  Xi  to  the  ideal  functionality.  For  each 
corrupted  party  P  £  M,  the  adversary  may  select  any 
value  x\  and  send  it  to  the  ideal  functionality. 

Trusted  party  computes  output:  Let  x\,  .  .  .  ,  x'n  be  the 

inputs  that  were  sent  to  the  ideal  functionality.  The 
ideal  functionality  computes  f(x'i, . . . ,  x'n). 

Adversary  learns  output:  The  ideal  functionality  first  sends 
the  evaluation  f(x'i,...,x'n)  to  the  adversary.  The  ad¬ 
versary  replies  with  either  continue  or  abort. 

Honest  parties  learn  output:  If  the  message  is  abort,  the 
ideal  functionality  sends  _L  to  all  honest  parties.  If  the 
adversary’s  message  was  continue,  then  the  ideal  func¬ 
tionality  sends  the  function  evaluation  /(xi, . . . ,  x'n)  to 
all  honest  parties. 

Leakage  queries  on  inputs:  The  adversary  may  send  (adap¬ 
tively  chosen)  leakage  queries  in  the  form  of  efficiently 
computable  functions  Lj  (described  as  a  circuit).  On 
receiving  such  a  query,  the  ideal  functionality  com¬ 
putes  Lj{x i, . . . ,  x'n)  and  returns  the  output  to  the  ad¬ 
versary. 

Outputs:  Honest  parties  output  their  inputs  and  the  mes¬ 
sages  they  obtained  from  the  ideal  functionality.  Mali¬ 
cious  parties  may  output  an  arbitrary  PPT  function  of 
their  initial  input  (auxiliary  input  and  random-tape) 
and  the  message  it  has  obtained  from  the  ideal  func¬ 
tionality. 

An  ideal  world  adversary  S  who  obtains  a  total  of  A  bits 
of  leakage  is  referred  to  as  a  X-leakage  ideal  adversary.  The 
overall  output  of  the  ideal-world  experiment  consists  of  all 
the  inputs  and  values  received  by  honest  parties  from  the 
ideal  functionality,  together  with  the  output  of  the  adver¬ 
sary,  and  is  denoted  by  W-IDEAL^  M(1  k  ,x,z). 


Real  World. 

The  real-world  experiment  begins  by  first  choosing  a  com¬ 
mon  random  string  crs.  Then,  each  party  Pi  receives  an  in¬ 
put  Xi  and  the  adversary  A  receives  auxiliary  input  2.  These 
values  can  depend  arbitrarily  on  the  crs,  but  need  to  be  ef¬ 
ficiently  computable  given  the  crs.  However,  for  the  sake 
of  simplicity  of  notation,  throughout  this  section  we  assume 
that  these  values  are  independent  of  the  crs. 

The  adversary  A  selects  any  arbitrary  subset  M  C  V  of 
the  parties  to  corrupt.  Each  corrupted  party  Pi  £  M  hands 
over  its  input  to  A.  The  parties  Pi, ...  ,Pn  now  engage  in 
an  execution  of  a  real  n-party  protocol  n.  The  adversary  A 
sends  all  messages  on  behalf  of  the  corrupted  parties,  and 
may  follow  an  arbitrary  polynomial-time  strategy.  In  con¬ 
trast,  the  honest  parties  follow  the  instructions  of  n.  Fur¬ 
thermore,  at  any  point  during  the  protocol  execution,  the 
adversary  may  make  leakage  queries  of  the  form  L  and  learn 
L( stateP\M),  where  state-p\M  denotes  the  concatenation  of 
the  protocol  states  state;  of  each  honest  party  Pt.  We  allow 
the  adversary  to  choose  the  leakage  queries  adaptively. 

Honest  parties  have  the  ability  to  toss  fresh  coins  at  any 
point  in  the  protocol,  and  at  that  point  these  coins  are  added 
to  the  state  of  that  party.  At  the  conclusion  of  the  protocol 
execution,  each  honest  party  Pi  generates  an  output  accord¬ 
ing  to  n.  Malicious  parties  may  output  an  arbitrary  PPT 
function  of  the  view  of  A. 

An  adversary  A  who  obtains  at  most  A  bits  of  leakage  is  re¬ 
ferred  to  as  a  X-leakage  real  adversary.  Let  Genw  denote  the 
CRS  generation  algorithm.  Further,  let  W-REAL5(lfe,  crs,  x,  z) 
be  the  random  variable  that  denotes  the  values  output  by  the 
parties  at  the  end  of  the  protocol  n  (using  crs  «—  Genw(l*’)  as 
the  CRS).  Then,  the  overall  output  of  the  real-world  experi¬ 
ment  is  defined  as  the  tuple  (crs,  W-REAI_5M(lfc ,  crs,  x,  z)). 

We  now  state  the  formal  security  definition. 

Definition  2.14  (A-Weakly  Leakage- Resilient  MPC). 
A  protocol  n  evaluating  a  functionality  f  is  a  A-weakly  leakage- 
resilient  MPC  protocol  if  for  every  PPT  X-leakage  real  ad¬ 
versary  A,  there  exists  a  X-leakage  ideal  adversary  S  = 
(5crs,  5exec),  corrupting  the  same  parties  as  A,  such  that  for 
every  input  vector  x,  every  auxiliary  input  z  £  {0, 1}*,  and 
every  subset  M  C  V,  it  holds  that  the  distribution 

{crs,  W-IDEAL^exec(crs  trap)  M(lfc,  x,  2)}^^ 

is  computationally  indistinguishable  from  the  distribution 

{ crs',  W-REAL^  M(lfe,  crs',  x,z)\ 
l  )  keN 

where  (crs,  trap)  <—  <Scrs(lfc),  and  crs'  Genw(lfc). 

Theorem  2.15  ([BGG+11]).  Based  on  the  DDH  as¬ 

sumption,  for  every  poly-size  function  f,  for  every  leakage 
bound  X  £  N,  and  any  number  of  parties  and  corrupted  par¬ 
ties,  there  exists  a  protocol  n  in  the  common  random  string 
model  for  computing  f  that  is  X-weakly  leakage  resilient  as 
per  Definition  2.1f. 

Remark  2.16.  We  note  that  Theorem  2.15  holds  even  if 
we  allow  the  input  vector  x  and  the  auxiliary  input  z  to  be  ar¬ 
bitrary  poly-time  computable  functions  of  the  crs.  We  elimi¬ 
nated  this  dependency  from  Definition  2.14  only  for  the  sake 
of  simplicity  of  notation. 
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Remark  2.17  (Standalone  vs.  UC  Security).  The 
main  result  in  [BGG+ 11]  actually  achieves  a  stronger  notion 
of  universally  composable  (UC)  security,  at  the  cost  of  addi¬ 
tionally  relying  on  the  decisional  linear  assumption  over  bi¬ 
linear  groups.  Indeed,  their  UC-secure  WLR-MPC  construc¬ 
tion  relies  on  a  leakage-resilient  UC-NIZK  system,  whose 
only  known  construction  [GJS11,  GOS06]  is  based  on  the 
decisional  linear  assumption  in  the  bilinear  groups  setting. 

However,  for  the  present  paper,  it  suffices  to  obtain  a 
“standalone”  secure  construction  of  WLR-MPC.  Thus,  it  is 
possible  to  replace  the  UC-NIZK  system  with  a  standalone 
secure  interactive  weakly  leakage-resilient  ZKPoK  system. 
This,  in  turn,  can  be  based  on  the  DDH  assumption.  The 
resulting  WLR-MPC  achieves  standalone  security  based  on 
only  the  DDH  assumption  in  the  CRS  model. 

Security  against  disjoint  leakage. 

In  Definition  2.14,  the  real- world  adversary  A  is  allowed 
to  obtain  joint  leakage  on  the  secret  states  of  the  honest  par¬ 
ties.  In  the  present  work,  we  consider  a  weaker  adversarial 
model,  in  which  the  leakage  on  each  honest  party  in  the  real 
world  is  disjoint  (i.e.,  A  is  not  allowed  to  leak  on  the  joint 
secret  states  of  the  honest  parties).  Theorem  2.15  clearly 
still  applies  to  this  setting.  However,  we  note  that  the  ideal 
world  guarantee  does  not  become  stronger  when  we  consider 
this  set  of  restricted  adversaries:  that  is,  even  to  simulate 
such  adversaries,  the  simulator  S  needs  joint  leakage  on  the 
inputs  of  all  the  honest  parties.7 

2.6.1  Security  for  randomized  functions 

We  note  that  Theorem  2.15  holds  for  deterministic  func¬ 
tions.  In  this  work,  we  need  to  use  a  weak  leakage  re¬ 
silient  protocol  for  randomized  functions  (since  the  modules 
in  the  OCL  leakage  resilient  circuit  compute  randomized 
functions).  We  show  that  in  our  setting,  where  leakage  in  the 
real  world  is  disjoint,  the  number  of  parties  is  polynomially 
related  to  the  security  parameter,  and  a  constant  fraction  of 
the  parties  are  honest,  then  we  can  construct  weak  leakage 
resilient  protocols  for  randomized  functions. 

Theorem  2.18  (informal).  Theorem  2.15  holds  also 
for  randomized  functions  if  we  restrict  the  adversaries  to 
leak  on  the  honest  parties  disjointly,  when  the  number  of 
parties  is  polynomially  related  to  the  security  parameter,  and 
e-fraction  of  them  are  honest  for  some  constant  e  >  0. 

Due  to  lack  of  space  we  defer  the  proof  of  this  theorem  to 
the  final  version. 

3.  OUR  MODEL 

In  this  section,  we  present  the  MPC  model  and  the  secu¬ 
rity  definition  considered  in  this  paper.  We  start  by  giving  a 
brief  overview  of  our  model  and  then  proceed  with  a  formal 
description. 

Overview.  We  consider  the  setting  of  n  parties  V  =  {P\, ...,  Pn} 
within  a  synchronous  point-to-point  network  with  authenti¬ 
cated  broadcast  channel  [DS83]  who  wish  to  jointly  compute 

'  As  mentioned  in  Section  1.4,  if  we  could  simulate  real-world 
adversaries  that  obtain  only  disjoint  leakage  queries,  with  a 
simulator  that  obtains  only  disjoint  leakage  queries,  then 
this  would  almost  immediately  give  us  a  result  similar  to 
ours:  An  MPC  protocol  with  preprocessing  that  is  secure 
against  continual  leakage. 


any  ppt  function  over  their  private  inputs.  Specifically,  we 
consider  the  case  where  the  parties  wish  to  perform  arbitrar¬ 
ily  many  evaluations  of  functions  of  their  choice.  We  refer 
to  a  protocol  that  allows  computation  of  multiple  functions 
(over  a  given  set  of  inputs)  as  a  multi-function  MPC  proto¬ 
col.  Unlike  the  standard  MPC  setting,  we  consider  security 
of  a  multi-function  MPC  protocol  against  “leaky”  adversaries 
that  may  (continuously)  leak  on  the  secret  state  of  each  hon¬ 
est  party  during  the  protocol  execution. 

To  formally  define  security,  we  turn  to  the  real/ideal  paradigm. 
Very  briefly,  we  consider  a  real-world  execution  where  an 
adversary,  who  corrupts  any  arbitrary  number  of  parties  in 
the  system,  may  additionally  obtain  arbitrary  bounded,  in¬ 
dependent  leakage  on  the  secret  state  of  each  honest  party. 
However,  unlike  the  recent  works  on  leakage-resilient  interac¬ 
tive  protocols  [GJS11,  BCH11,  BGK11,  DHP11,  BGG+11], 
we  consider  the  standard  ideal  world  model,  where  the  ad¬ 
versary  does  not  learn  any  information  on  the  honest  party 
inputs. 

Note  that  if  we  do  not  put  any  restriction  on  the  real- 
world  adversary,  and  in  particular,  if  he  is  allowed  to  ob¬ 
tain  leakage  throughout  the  protocol  execution,  then  it  is 
impossible  to  realize  the  standard  ideal  world  model,  since 
the  adversary  may  simply  leak  on  the  inputs  of  the  honest 
parties,  while  this  information  cannot  be  simulated  in  the 
ideal  world.  With  this  in  mind,  we  (necessarily)  allow  for 
a  “leak-free”  one-time  preprocessing  stage  that  happens  at 
the  beginning  of  the  real-world  execution.  Furthermore,  to 
withstand  continual  leakage  attacks,  we  (necessarily)  allow 
for  periodic  updates  of  the  secret  values  of  the  parties.  We 
allow  leakage  to  occur  during  this  update  procedure  as  usual. 

We  now  proceed  to  give  a  formal  description  of  our  model 
in  the  remainder  of  this  section.  In  Section  3.1,  we  describe 
the  ideal  world  experiment.  In  Section  3.2,  we  describe  the 
real  world  experiment.  Finally,  in  Section  3.3,  we  present 
our  security  definition. 

Throughout  this  work,  we  assume  that  the  functions  to  be 
evaluated  give  the  same  output  to  all  parties.  This  is  for  sim¬ 
plicity  of  exposition,  since  otherwise,  if  the  output  itself  is  a 
secret  value  (given  to  an  honest  party)  then  this  value  can 
be  leaked.  This  can  be  handled  by  complicating  our  security 
guarantees,  and,  indeed,  one  can  tweak  our  construction  to 
ensure  that  the  adversary  learns  only  leakage  information  on 
such  outputs.  However,  for  the  sake  of  simplicity,  we  choose 
to  avoid  this  issue  in  this  manuscript. 

3.1  Ideal  World 

In  the  ideal  world,  each  party  Pi  sends  her  input  Xi  to 
a  trusted  third  party.  Whenever  the  adversary  A  sends 
a  poly-size  circuit  /  to  the  trusted  party,  it  sends  back 
f(x i, . . . ,  x„).  Since  we  consider  the  case  of  dishonest  ma¬ 
jority,  we  can  only  obtain  security  with  abort:  i.e.,  the  ad¬ 
versary  first  receives  the  function  output  f(x i, . . . ,  xn),  and 
then  chooses  whether  the  honest  parties  also  learn  the  out¬ 
put,  or  to  prematurely  abort.  The  adversary  can  query  the 
trusted  party  many  times  with  various  functions  fj.  More¬ 
over,  these  functions  can  be  adaptively  chosen,  based  on  the 
outputs  of  previous  functions.  The  ideal  world  model  is  for¬ 
mally  described  below. 

Inputs:  Each  party  Pi  obtains  an  input  Xi.  The  adversary 
is  given  auxiliary  input  2.  He  selects  a  subset  of  the 
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parties  M  C  P  to  corrupt,  and  is  given  the  inputs  xe 
of  each  party  Pe  £  M. 

Sending  inputs  to  trusted  party:  Each  honest  party  Pi 
sends  its  input  Xi  to  the  ideal  functionality.  For  each 
corrupted  party  Pi  £  M,  the  adversary  may  select  any 
value  x[  and  send  it  to  the  ideal  functionality. 

Trusted  party  computes  output:  Let  x'i,...,x'n  be  the 
inputs  that  were  sent  to  the  trusted  party.  Then,  the 
following  is  repeated  for  any  (unbounded)  polynomial 
number  of  times: 

•  Function  selection:  The  adversary  chooses  a 
poly-size  circuit  fj ,  and  sends  it  to  the  ideal  func¬ 
tionality. 

•  Adversary  learns  output:  The  ideal  function¬ 
ality  sends  the  evaluation  fj{x ■■■,x'n)  to  the  ad¬ 
versary.  The  adversary  replies  with  either  continue 
or  abort. 

•  Honest  parties  learn  output:  If  the  adver¬ 
sary’s  message  was  abort,  then  the  trusted  party 
sends  ±  to  all  honest  parties  and  the  experiment 
concludes.  Otherwise,  if  the  adversary’s  message 
was  continue,  then  it  sends  the  function  output 
fj(xi,...,x'n)  to  all  honest  parties. 

Outputs:  Honest  parties  output  all  the  messages  they  ob¬ 
tained  from  the  ideal  functionality.  Malicious  parties 
may  output  an  arbitrary  PPT  function  of  the  adver¬ 
sary’s  view. 

The  overall  output  of  the  ideal-world  experiment  consists 
of  the  outputs  of  all  parties.  For  any  ideal-world  adversary 
S  with  auxiliary  input  z  £  {0, 1}*,  any  input  vector  x,  any 
set  of  functions  {fj}j=1  chosen  by  the  adversary,  and  secu¬ 
rity  parameter  k,  we  denote  the  output  of  the  corresponding 
ideal-world  experiment  by 

IDEALs, m  (lfc,  a?,  z,  {/j}f=1)  • 

Note  that  this  is  a  slight  abuse  of  notation  since  the  functions 
{fj}j= 1  may  be  chosen  adaptively. 

3.2  Real  World 

The  real  world  execution  begins  by  an  adversary  A  se¬ 
lecting  any  arbitrary  subset  of  parties  M  C  P  to  corrupt. 
The  parties  then  engage  in  an  execution  of  a  real  n-party 
multi-function  MPC  protocol  n  =  (Hpre,  n^pm,  nonline)  that 
consists  of  three  stages,  namely,  (a)  a  preprocessing  phase, 
(b)  an  input  phase,  and  (c)  an  online  phase,  as  described  be¬ 
low.  We  assume  that  honest  parties  have  the  ability  to  toss 
fresh  coins  at  any  point.  Throughout  the  execution  of  n,  the 
adversary  A  sends  all  messages  on  behalf  of  the  corrupted 
parties,  and  may  follow  an  arbitrary  polynomial-time  strat¬ 
egy.  In  contrast,  the  honest  parties  follow  the  instructions  of 
n.  Furthermore,  at  any  point  during  the  protocol  execution 
(except  during  the  preprocessing  and  the  input  phases),  the 
adversary  may  leak  on  the  entire  secret  state  of  each  honest 
parties,  via  an  MPC  leakage  query,  defined  as  follows. 

Definition  3.1.  An  MPC  leakage  query  is  defined  by 
Leak (i,L),  where  i  £  [ n ]  and  L  :  {0,1}*  — >  {0,1}  is  a 
poly-size  circuit.  When  an  adversary  sends  a  leakage  query 
Leak(i,  L),  he  receives  the  evaluation  of  L  on  the  entire  secret 
state  of  party  Pi . 


We  now  formally  describe  the  different  phases  in  the  pro¬ 
tocol. 

Preprocessing  phase:  This  phase  is  interactive  and  leak- 
free,  and  is  run  only  once.  It  is  independent  of  the 
inputs  of  the  parties,  and  is  independent  of  the  func¬ 
tions  that  will  later  be  evaluated.  Thus,  this  phase 
can  be  run  in  the  beginning  of  time,  before  the  parties 
even  know  what  their  inputs  are,  or  what  functions 
they  would  like  to  evaluate. 

We  assume  that  no  leakage  occurs  during  the  run  of 
this  preprocessing  phase,  but  we  do  allow  leakage  to 
occur  as  soon  as  the  preprocessing  phase  ends.  At  the 
end  of  this  phase  each  party  P,  has  an  (initial)  secret 

p. 

state  statep. 

Input  phase:  This  phase  is  non-interactive  and  leak-free, 
and  depends  only  on  the  inputs  xi, ...,  x„  (independent 
of  the  functions  to  be  computed).  Whenever  a  party 
Pi  gets  (or  chooses)  a  secret  input  Xi,  she  does  some 
local  computation  which  may  depend  on  her  secret  in¬ 
put  Xi  and  on  her  secret  state  statef* .  She  then  sends 
a  message  to  all  parties,  and  erases  her  secret  input  x%. 
One  may  think  of  this  as  a  “hot  potato”  model,  where 
the  parties  never  store  their  inputs  for  very  long  (since 
they  are  concerned  with  leakage),  but  rather  immedi¬ 
ately  share  their  input  as  if  it  were  a  “hot  potato”. 

We  assume  that  the  party  Pi  is  not  leaked  upon  during 
the  execution  of  this  phase.  However,  leakage  may 
occur  between  the  preprocessing  phase  and  the  input 
phase,  and  leakage  may  occur  immediately  after  the 
input  phase. 

We  emphasize  that  each  party  can  change  her  input 
as  often  as  she  wants  by  simply  re-running  the  input 
phase  with  the  new  input.8 

Online  phase:  This  phase  takes  place  in  a  leaky  environ¬ 
ment.  During  this  phase,  the  parties  carry  out  an  un¬ 
bounded  number  of  function  evaluations  on  their  in¬ 
puts,  and  update  their  respective  secret  states.  At 
any  point  during  this  phase,  A  may  make  adaptively- 
chosen  leakage  queries,  as  per  Definition  3.1,  in  the 
manner  as  described  below. 

Whenever  A  wishes  to  compute  a  function  fj  (repre¬ 
sented  as  a  poly-size  circuit),  all  parties  execute  the 
function  evaluation  protocol  ncomp,  described  below. 
Whenever  A  wants  the  honest  parties  to  update  their 
secret  states,  all  parties  execute  the  update  protocol 
nUpdate,  described  below.  We  let  n0nime  =  (nComP,  nUpciate). 
We  begin  at  leakage  time  period  £  =  1;  after  each  up¬ 
date  procedure,  l  is  incremented. 

•  Computation  procedure: 

1.  All  parties  execute  protocol  nc0mP(/j),  where 
honest  parties  Pi  act  in  accordance  with  in¬ 
put  state^* .  Note  that  the  secret  state  of  par¬ 
ties  may  change  during  the  execution  of  this 
protocol,  as  dictated  by  ncomp. 

8  For  simplicity,  in  the  security  proof  in  Section  5,  we  assume 
that  the  parties  run  the  input  phase  only  once,  however  the 
proof  extends  readily  to  the  case  that  the  parties  rerun  the 
input  phase  many  times  with  different  inputs. 
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2.  At  the  conclusion  of  the  computation  phase, 
each  honest  party  P,  outputs  his  final  mes¬ 
sage  of  the  protocol  (which  should  correspond 
to  the  evaluation  of  fj).  Malicious  parties 
may  output  an  arbitrary  PPT  function  of  the 
view  of  A. 

•  Ith  Update  procedure: 

1.  All  parties  execute  protocol  Ilupdate,  where 
honest  parties  P  act  in  accordance  with  in¬ 
put  statef*. 

2.  At  the  conclusion  of  the  update  phase,  each 
honest  party  P,  sets  stated?  x  to  be  Pi’s  output 
from  Ilupdate-  Each  honest  P,  erases  state^1. 

3.  Increment  £  <—  l  +  1. 

Leakage:  Initialize  each  leaked^  to  0.  Each  leakage  query 
(*,  L)  made  by  A  during  the  Ph  time  period  is  answered 
as  follows. 

•  During  the  computation  phase:  if  leaked^  >  A, 
then  A  receives  0.  Otherwise,  A  receives  the  eval¬ 
uation  of  L  on  the  current  secret  state  of  party  P(, 
and  leaked^  <—  leaked^  +  1. 

•  In  fth  update  phase:  if  either  leaked^  >  A  or 
leaked/>+i  >  A,  then  A  receives  0.  Otherwise,  A 
receives  the  evaluation  of  L  on  the  current  secret 
state  of  party  Pi,  and  both  leaked^  «—  leaked^  +  1 
and  leaked^+i  «—  leakedf+i  +  1. 

We  emphasize  that  the  A’s  leakage  queries  may  be 
made  on  any  party,  adaptively  chosen  based  on  all 
information  received  up  to  that  point  (including  re¬ 
sponses  to  previous  leakage  queries).  The  only  re¬ 
striction  is  that  the  number  of  bits  leaked  between 
the  execution  of  any  two  consecutive  update  protocols 
is  bounded.  Note  that  the  leakage  queries  made  dur¬ 
ing  the  Pth  update  phase  (where  parties  transition  be¬ 
tween  their  Pth  and  (f-fT)’st  secret  states)  are  counted 
against  both  the  Pth  and  (£+  l)’st  time  period,  where 
the  Pth  time  period  is  the  time  period  where  the  party 
stores  her  Pth  secret  state.  The  reason  for  this  “dou¬ 
ble  counting”  is  that  during  the  Pth  update  phase,  the 
adversary  can  leak  both  on  the  Pth  secret  state  and 
on  the  £  +  l’st  secret  state  of  the  party. 

We  refer  to  an  adversary  who  corrupts  t  parties  M  CV 
and  makes  up  to  A  leakage  queries  in  each  time  period 
as  a  (t,  A)- continual  leakage  adversary. 

For  any  adversary  A  with  auxiliary  input  2  £  {0,1}*, 
any  inputs  {xi}?=i,  any  set  of  functions  {/j}^=1  chosen 
(adaptively)  by  the  adversary,  and  any  security  parameter 
k,  we  denote  the  output  of  the  multi- function  MPC  protocol 

H  —  (Upre ,  Ilinput ,  Ilonline)  by 

REALS, M(l  k,x,z,{fj}Pj=1)- 

Loosely  speaking,  we  say  that  a  protocol  II  is  a  leakage- 
resilient  multi-function  MPC  protocol  if  any  adversary,  who 
corrupts  a  subset  of  parties,  receives  leakage  information  as 
described  above,  and  runs  the  protocol  with  honest  parties 
on  any  (unbounded)  sequence  of  functions  /i, ...,  fp,  gains  no 
information  about  the  inputs  of  the  honest  parties  beyond 
the  output  of  the  functions  fj(x i, ...,  x„)  for  j  =  1,  ...,p.  We 
formalize  this  in  the  next  subsection. 


3.3  Security  Definition 

In  what  follows,  we  formally  define  our  model  of  security; 
i.e.,  what  it  means  for  a  real-world  protocol  to  emulate  the 
desired  ideal  world. 

Definition  3.2  (Leakage- Resilient  MPC).  A  multi¬ 
function  evaluation  protocol  II  =  (npre,  Ihnput,  Ilonline)  is  said 
to  be  A-leakage-resilient  against  t  malicious  parties  if  for  ev¬ 
ery  PPT  (t,  A)- continual  leakage  MPC  adversary  A  in  the 
real  world,  there  exists  a  PPT  adversary  S  corrupting  the 
same  parties  in  the  ideal  world  such  that  for  every  input 
vector  x,  every  auxiliary  input  z,  and  any  (adaptively  cho¬ 
sen)  set  of  functions  {/j}^=1  where  p  =  poly(fc),  it  holds 
that 

IDEALs,m(i k,S,z,{fjyj=1)  «c  REALn4!M(lfe,a:,2,{/;;^=1). 

Note  that  we  do  not  allow  the  simulator  to  request  leakage 
on  honest  parties’  inputs  in  the  ideal  world,  as  was  done 
in  [BCH11,  DHP11,  BGG+11],  and  thus  model  a  stronger 
notion  of  secrecy  than  what  was  achieved  in  prior  works.9 

4.  OUR  CONSTRUCTION 

In  this  section,  we  construct  a  leakage-resilient  multi-function 
MPC  protocol,  as  defined  in  Section  3.  Our  construction 
uses  the  following  ingredients: 

1.  (C,  Update):  a  A-LDS  secure  circuit  compiler,  as  in 
Theorem  2.11.  Recall  for  a  circuit  C,  the  compiler 
C  :  C  i— >  (Subi, ...,  Subm)  yields  a  collection  of  modules 
whose  sequential  execution  evaluates  C,  and  which  are 
secure  in  the  LDS  model  (see  Section  2.5  for  details). 

2.  Elect:  a  public-coin  protocol  for  electing  m  disjoint 
committees  (where  m  is  the  number  of  modules  from 
above),  each  of  size  approximately  k,  as  in  Lemma  2.6. 

3.  (Gerieq,  Com,  Rec,  5eq  =  (5eqS,  <Seqm)):  a  crs-based  equiv¬ 
ocal  commitment  scheme,  as  in  Lemma  2.5. 

4.  (Gen,  Enc,  Dec,  Eval):  a  fully  homomorphic  public-key 
encryption  (FHE)  scheme  that  is  certifiable  with  re¬ 
spect  to  an  efficiently  testable  set  R  C  {0,  i}poly(fe) ?  as 
described  in  Section  2.4. 

5.  (Gen„izk,  P,  V,5nizk  =  (55r|k,5np|z°kof)):  anon-interactive 
zero-knowledge  (NIZK)  proof  of  knowledge  (as  in  Lemma 
2.3)  for  the  NP  language 

L  =  { (pk,  x)  :  3  (x,  r)  s.t.  r  £  R,  x  =  Encpk(a:;  r)}, 

(1) 

where  R  C  {0,  l}polyW  is  the  set  for  which  the  FHE 
scheme  is  certifiable. 

6.  MPC(F'):  a  standard  multiparty  computation  protocol 
for  evaluating  a  function  F ,  with  no  leakage  resilience 
guarantees,  such  as  [GMW87]. 

7.  (Genw,  MPCW(E)):  a  A  -weakly  leakage-resilient  multi¬ 
party  computation  (WLR-MPC)  protocol  for  evaluat¬ 
ing  a  function  F  in  the  common  random  string  model, 
as  given  by  Theorem  2.18. 

9With  the  (necessary)  addition  of  a  one-time  leak-free  pre¬ 
processing  phase. 
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Theorem  4.1.  Fix  any  constants  e,  S  >  0.  Then,  assum¬ 
ing  the  existence  of  the  ingredients  1-7  listed  above  ( where 
the  LDS  circuit  compiler  and  WLR-MPC  protocol  are  secure 
with  leakage  parameter  X),  there  exists  a  X-leakage-resilient 
multi-function  evaluation  MPC protocol  II  =  (IIpre,  rtinplJt,  Ilupdate) 
for  n  >  ks  parties,  tolerating  t  =  (1  —  e)n  corrupted  parties. 

Remark. 

The  reason  we  need  the  number  of  parties  to  be  polyno- 
mially  related  to  the  security  parameter  is  two- fold.  First, 
in  the  preprocessing  phase,  the  protocol  IIpre  elects  commit¬ 
tees  £m ,  and  security  of  the  protocol  relies  on  the 

fact  that  these  committees  are  disjoint  and  each  committee 
contains  a  constant  fraction  of  honest  parties.  Thus,  if  n  is 
a  constant,  then  the  resulting  security  guarantee  is  that  the 
advantage  of  any  PPT  distinguisher  in  the  security  game  is 
bounded  (from  below)  by  a  constant.  More  generally,  the 
advantage  is  >  2-e™  (see  Lemma  2.6). 

The  second  reason  we  the  number  of  parties  must  be  large 
is  that  the  number  m  of  disjoint  committees  £i, ...  ,£m  we 
need  to  elect  is  large.  This  is  because  the  number  of  com¬ 
mittees  is  exactly  the  number  of  modules  generated  by  the 
LDS  compiler,  when  applied  to  the  decryption  circuit  Decsk 
of  the  underlying  FHE  scheme.  Since  the  only  LDS  com¬ 
piler  we  know  (that  does  not  use  secure  hardware)  requires 
m  =  0(jDecSk|),  the  number  of  modules  must  be  at  least  the 
security  parameter  of  the  underlying  FHE  scheme  (which  we 
can  set  to  be  ks). 

We  now  present  the  protocol  n  =  (nPre,  ninput,  nonline), 
where  nonline  =  (ncomp,  nupdate).  At  a  high  level,  n  is  defined 
as  follows: 

Preprocessing  phase  npre:  In  the  preprocessing  phase,  the 
parties  run  a  (standard)  MPC  to  collectively  generate 
a  key  pair  (pk,  sk)  for  the  FHE  scheme,  and  to  secret 
share  sk  in  such  a  way  that  (a)  learning  the  shares 
of  corrupted  parties,  and  leakage  on  each  remaining 
share,  does  not  damage  the  security  of  the  FHE,  but 
(b)  collectively,  the  shares  can  be  used  to  evaluate  the 
decryption  circuit  in  a  leaky  environment.  More  specif¬ 
ically,  shares  are  generated  by  running  the  LDS  com¬ 
piler  on  the  decryption  circuit  Decsk(-)  (with  sk  hard¬ 
wired)  to  obtain  a  sequence  of  modules  Subi, ...,  Subm; 
the  parties  elect  corresponding  (disjoint)  committees 
£\,  ...,£m,  and  secret  share  each  Sub,  among  parties  in 
£.j ,  using  a  standard  secret  sharing  scheme  (e.g.,  the 
simple  xor  scheme) .  To  ensure  that  parties  provide  the 
correct  secret  shares  of  the  Subj’s  in  future  computa¬ 
tions,  within  the  MPC  the  parties  collectively  generate 
and  publish  commitments  to  each  correct  share. 

In  addition,  the  preprocessing  phase  is  used  to  gen¬ 
erate  crs  setup  information  for  subsidiary  tools  used 
throughout  the  protocol.  This  is  also  done  via  a  (stan¬ 
dard)  MPC. 

(Note  that  the  preprocessing  procedure  is  independent 
of  parties’  secret  inputs  and  functions  to  be  evaluated.) 

Input  phase  Hinput:  Each  time  a  party  P;  wishes  to  sub¬ 
mit  a  new  secret  input  Xi ,  she  computes  and  publishes 
an  encryption  Xi  of  Xi  under  the  FHE  scheme  (specif¬ 
ically,  under  the  public  key  pk  for  the  FHE  that  was 


generated  during  the  preprocessing  phase).  To  ensure 
that  malicious  parties  do  not  send  malformed  cipher- 
texts,  which  could  ruin  the  correctness  of  homomor¬ 
phic  evaluation  later  down  the  line  (and  potentially 
damage  security),  each  party  accompanies  her  pub¬ 
lished  ciphertext  Xi  with  a  NIZK  proof  of  knowledge 
that  the  ciphertext  is  properly  formed. 

Online  phase  nonline:  The  online  phase  consists  of  two  parts: 
the  computation  phase,  in  which  parties  collectively 
evaluate  a  queried  function  /  on  all  inputs,  and  the 
update  phase,  in  which  parties  collectively  refresh  their 
secret  states. 

Computation  phase  nc0mP:  Each  time  the  adver¬ 
sary  requests  the  evaluation  of  a  function  /  on  all  par¬ 
ties’  inputs,  two  steps  take  place.  First,  each  party 
(individually)  homomorphically  evaluates  the  function 
/  on  the  encrypted  vector  of  inputs  x  =  (xi,  ...,xn). 
Note  that  the  result,  yj,  is  an  encryption  of  the  de¬ 
sired  value  f(x).  Next,  the  parties  jointly  decrypt, 
using  their  shares  of  sk  from  the  preprocessing  phase. 
Namely,  the  parties  execute  the  sequence  of  modules 
Subi, ...,  Subm  obtained  by  the  LDS  compiler  applied 
to  Decsk(-),  where  the  input  to  the  first  module  Subi 
is  y/.  To  emulate  the  execution  of  each  module  Subj, 
the  parties  of  committee  £ j  run  a  WLR-MPC  protocol 
among  themselves.  Within  the  WLR-MPC,  the  par¬ 
ties  of  £j  combine  their  secret  shares  Subyi  (checking 
first  to  make  sure  each  party’s  share  agrees  with  the 
corresponding  published  commitment)  and  execute  the 
computation  dictated  by  Subj.  Communication  be¬ 
tween  modules  is  performed  by  having  all  parties  of 
committee  £j  send  the  appropriate  message  to  all  par¬ 
ties  of  the  next  committee,  £j+i-  The  output  of  the 
final  module,  Subm,  is  the  evaluation  /(*). 

Update  phase  nupdate:  Each  time  the  adversary  re¬ 
quests  that  parties  update  their  secret  states,  the  par¬ 
ties  execute  the  update  procedure  of  the  LDS  compiler, 
where  each  module  computation  is  performed  via  a 
WLR-MPC  among  the  parties  of  the  corresponding 
committee,  as  above.  The  only  difference  here  is  that 
the  secret  state  Subj  of  each  module  is  also  changing. 
Thus,  during  each  execution  of  a  module  Subj,  the  cor¬ 
responding  committee  must  also  generate  fresh  secret 
shares  for  its  parties,  and  new  commitment  and  de- 
commitment  information  for  each  share.  To  provide 
the  required  correctness  and  secrecy  guarantees,  this 
process  takes  place  as  part  of  the  committee’s  WLR- 
MPC  execution. 

The  formal  descriptions  of  npre,  n^ut,  ncomp,  and  nupdate 
appear  in  Figures  1,  2,  3,  and  4,  respectively. 

Remark  4.2.  Throughout  the  protocol  description  (as  well 
as  throughout  the  proof),  we  define  abort  to  be  the  action  of 
broadcasting  the  message  “abort”  to  all  parties.  At  any  point 
in  which  a  party  receives  an  “abort”  message,  he  runs  abort 
and  exits  the  protocol. 

5.  PROOF  OF  SECURITY 

Proof  of  Theorem  4.1.  Let  A  be  any  real-world  PPT 
adversary  for  n.  Denote  by  M  C  V  the  set  of  parties  cor¬ 
rupted  by  A. 
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Preprocessing  Phase: 

Input:  lfc.  No  leakage  allowed. 

1.  The  parties  elect  m  disjoint  committees  £j  of  size  ap¬ 

proximately  k!  by  running  Elect.  Here,  k'  is  the  secu¬ 
rity  parameter  for  the  FHE  scheme  and  m  =  poly(A/) 
is  the  number  of  modules  produced  by  the  LDS  com¬ 
piler  when  run  on  the  decryption  circuit  Decsk  for  this 
security  parameter.  We  take  k'  =  as  large  as 

possible  while  maintaining  m  ■  k'2  <  n. 

2.  All  parties  engage  in  an  execution  of  the  (stan¬ 
dard)  MPC  protocol  MPC(Fcre)  to  compute  the 
(randomized)  functionality  Fc  rs  described  as  fol¬ 
lows.  Functionality  Fcrs  does  not  take  any  inputs 
and  computes  the  following:  (a)  a  CRS  crsw  •<— 
Genw(lfc)  for  the  weakly  leakage-resilient  MPC  proto¬ 
col  (Genw,MPCw(F)),  (b)  a  CRS  crs:q  Gene^l*) 
for  each  party  Pi  for  the  equivocal  commitment 
scheme  (Geneq,  Com,  Rec,Seq),  and  (c)  a  CRS  crs'izk  <— 
Gennizk(lfc)  for  each  party  P,  for  the  NIZK  proof  of 
knowledge  system  (Gennizk,  P,  V,  Snizk).  Denote  by  crs 
the  tuple  ({crSeq,  crs„izk}”=1,  crsw). 

3.  All  parties  engage  in  an  execution  of  the  (standard) 
MPC  protocol  MPC(F£li...i£mjCrs)  to  collectively  com¬ 
pute  the  randomized  functionality  Fs1,...,sm,as  (that 
does  not  take  any  inputs)  defined  as  follows: 

The  (randomized)  function: 

Generate  a  key  pair  (sk,  pk)  «—  Gen(lfe  )  for  the 
FHE  scheme. 

Evaluate  the  LDS  circuit  transformation  on  the 
decryption  circuit  for  sk: 

(Subi, ...,  Subm)  -s-  C(Decsk). 

(We  abuse  notation  and  denote  by  Suh,  both 
the  computation  of  the  submodule  and  the  secret 
state  corresponding  to  the  submodule.) 

For  each  j  £  [m],  secret  share  Subj  =  Sub^i  © 
•  •  •  ©  Subj.igj ;  among  the  parties  in  the  j’th  com¬ 
mittee,  £j. 

For  each  share  Subj,;  generated  in  the  previ¬ 
ous  step,  compute  a  commitment  {cj,i,dj^)  <— 
Com(crs“q,  Subj.i),  where  Pa  is  the  i’th  party  in 
£j  (i.e.,  the  party  that  receives  the  share  Subj.i). 

Output:  The  outputs  are  as  follows. 

All  parties:  pk,  {©yi}ie[m],ie[|£;).j] 

Party  i  of  £j\  Subj,i,  dj,i 

4.  Each  party  erases  all  intermediate  values  of  the  MPC 
executions. 

(Note  that  Steps  2  and  3  can  be  combined  into  a  single 
multi-party  computation  execution,  but  have  been  split  into 
two  separate  executions  for  ease  of  explanation  and  proof). 


Figure  1:  Protocol  npre:  Preprocessing  phase. 


Input  Phase:  Party  Pi  wishes  to  submit  a  new  private 
input,  Xi.  No  leakage  allowed. 

Public  inputs:  pk,  {crs*izk}"=1. 

Private  input:  Xi,  held  by  party  Pi. 

Party  P,  performs  the  following  steps: 

1.  Sample  a  value  rz  <—  R  C  {0,  l}poly(fc)  vqa  rejection 
sampling.  Recall  the  FHE  scheme  is  certifiable  with 
respect  to  the  set  R  C  {0,  l}poly(fc)  (see  Definition  2.7). 

2.  Encrypt  Xi  =  Encpk(a:i;  n). 

3.  Compute  a  NIZK  proof  of  knowledge  that  (pk,  ah)  £  L 
using  witness  ( Xi,Vi )  and  CRS  crs*izk.  (See  Equa¬ 
tion  (1)  above  for  the  definition  of  L).  That  is, 
m  <-  P(crs*izk,  (pk,  £i),  (xi,  n)). 

4.  Send  the  pair  (xi,m)  to  all  parties. 

(It  suffices  to  send  it  to  parties  in  £\.) 

5.  Erase  initial  input  Xi,  together  with  all  intermediate 
values  of  the  input  phase. 


Figure  2:  Protocol  ninput:  Input  phase. 

We  construct  an  adversary  S  in  the  ideal  world  who  sim¬ 
ulates  the  real-world  view  of  A  by  simulating  the  honest 
parties  in  the  real  world  experiment.  We  do  so  by  a  se¬ 
quence  of  intermediate  steps,  where  we  show  how  to  sim¬ 
ulate  these  values  given  less  and  less  information,  eventu¬ 
ally  given  only  the  function  evaluations  f(x i,...,xn),  as  in 
the  ideal- world  experiment.  More  explicitly,  we  consider  the 
following  sequence  of  hybrid  experiments.  We  note  that  all 
ideal  functionalities  in  the  hybrid  experiments  are  implic¬ 
itly  with  abort-,  i.e.,  the  ideal  functionality  first  outputs  to 
only  the  adversary,  who  decides  whether  outputs  are  also 
delivered  to  honest  parties,  or  whether  the  protocol  ends  in 
abort. 

In  what  follows  we  describe  all  of  our  hybrid  experiments. 
We  defer  the  construction  of  the  corresponding  simulator 
and  the  proof  of  indistinguishability  to  the  full  version.  For 
each  hybrid,  we  include  (in  the  parentheses)  the  primary 
reason  why  Hybrid  i  can  be  simulated  from  Hybrid  i  —  1. 

Hybrid  0.  The  real  world:  i.e.,  the  adversary  interacts  with 
honest  parties  in  the  real-world  experiment  running  n. 

Hybrid  1.  (Elect  protocol)  The  same  as  the  real-world  ex¬ 
periment,  except  that  if  any  of  the  committees  £i, ...,  £m 
elected  during  the  preprocessing  phase  has  fewer  than 
|/c  parties,  or  if  the  fraction  of  honest  parties  in  any 
committee  is  less  than  |,  the  experiment  immediately 
concludes  with  output  fail.  We  assume  for  simplicity 
of  notation  (later  on)  that,  if  the  experiment  does  not 
fail,  the  first  party  of  each  committee  £j  is  honest. 

Hybrid  2.  (MPC  security)  The  same  as  Hybrid  1,  except 
instead  of  collectively  generating  the  CRS  values  (for 
the  equivocal  commitment  scheme,  the  WLR-MPC, 
and  the  NIZK  proof  system)  via  an  MPC  protocol 
during  the  preprocessing  phase,  we  assume  a  setup 
model  where  these  values  are  (honestly)  generated  be¬ 
forehand,  and  all  parties  run  with  these  CRS  values 
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Computation  Phase: 

Public  inputs:  /,  pk,  x  =  (Encpk(a:i), Encpk(a:n)),  crs  = 
({crseq,  crsnizk}i=li  crsw),  fl,  fm,  {©,i}jG[m],'iG[|£j  |]  • 

Private  inputs:  (Subj:i,  dj,;),  held  by  party  i  of  fj. 

1.  All  parties  homomorphically  evaluate  /  on  the  en¬ 
crypted  input  vector:  y  =  Evalpk(a:,  /). 

(It  suffices  that  only  parties  in  fi  compute  y.) 

2.  The  parties  execute  the  Decryption  Cascade  with 

input].  =  y. 

Decryption  Cascade: 

1.  For  j  —  1 , m: 

The  parties  in  fj  engage  in  an  execution  of  the  A- 
weakly  leakage-resilient  MPC  protocol  MPCw(Fj)  us¬ 
ing  CRS  crsw  to  compute  the  (randomized)  function¬ 
ality  Fj  defined  as  follows: 

Input:  (Subj,j,  input^),  held  by  party  i  of  £j. 

The  function  Fj: 

(a)  If  any  of  the  input’s  are  inconsistent,  or 
Subj,i  ^  Rec(crs“  ,  dj,i)  for  any  i,  where 
Pa  is  the  j’th  party  in  committee  £j  (i.e., 
if  any  party’s  share  does  not  agree  with  the 
corresponding  published  commitment),  then 
abort. 

(b)  Otherwise,  let  Subj  =  Subj,;. 

(c)  Evaluate  the  j' th  module  on  input,:  that  is, 
inputj+1  :=  Subj(input,,). 

Output:  All  parties  learn  input -+1. 

At  the  conclusion  of  the  WLR-MPC  execution,  each 
party  in  £j  erases  all  intermediate  values  generated 
during  the  WLR-MPC,  keeping  only  (Subj,;,  dj,;). 

Each  party  in  £j  sends  the  value  of  inputJ+1  to  all  par¬ 
ties  in  £j+i  (where  £m+i  '■=  V  the  set  of  all  parties). 

If  any  party  in  £j+i  receives  disagreeing  values  of 
inputJ+1  from  parties  in  £j,  then  abort. 

2.  Output  inputm+1  as  the  desired  evaluation  f(x). 


Figure  3:  Protocol  IIcomP:  Compute  phase. 


Update  Phase: 

Public  inputs:  £i ,...,£m,  crs  =  ({crs*,,  crs’izk}’l=i,  crsw), 

lull- 

Private  inputs:  (Subj,;,  dj,;),  held  by  party  i  of  £j. 

All  parties  run  the  Update  protocol  of  the  LDS  compiler,  as 
follows. 

1.  Each  time  the  parties  in  committee  £j,  who  are  sim¬ 
ulating  submodule  Subj,  receive  a  message  msg^  from 
the  parties  in  committee  £j-i,  who  are  simulating  sub- 
module  Subj_i,  they  compute  the  function  G  that 
would  have  been  computed  by  Subj  upon  receiving 
the  message  inputj  when  running  the  Update  protocol. 
(The  parties  in  committee  £\  start  with  msg]  =  _L). 

The  computation  of  G  is  done  by  running  an  execution 
of  the  A-weakly  leakage-resilient  MPC  protocol  using 
crsw  to  collectively  execute  the  following  (randomized) 
function: 

Input:  (Subj,;,  dj,;,  msgj),  held  by  party  i  of  fj, 

crs,  {cj,i}ie[ |£jl],  held  by  all  parties. 

The  (randomized)  function: 

(a)  If  any  of  the  msg^’s  are  inconsistent,  or 
Subj,;  ^  Rec(crs“  ,  Cj,i,  dj,i)  for  any  i,  where 
Pa  is  the  i’tli  party  in  committee  £j  (i.e., 
if  any  party’s  share  does  not  agree  with  the 
corresponding  published  commitment),  then 
abort.  Otherwise,  let  Subj  =  ©M)  Subj,;. 

(b)  Evaluate  (Sub' ,  msgJ+1)  <—  G(Subj,  msg^). 
Here,  Sub'  denotes  an  updated  version  of  the 
submodule  information,  and  msgJ  +  1  denotes 
the  message  to  be  sent  to  submodule  j  +  1  as 
dictated  by  Update. 

(c)  Secret  share  the  new  value  Sub)  =  Sub' a  © 
•  •  •  ©  Sub)  |£.|  into  |£j|  shares  using  the  xor 
secret  sharing  scheme. 

(d)  For  each  share  Sub)  ;  generated  in  the  pre¬ 
vious  step,  compute  a  new  commitment 
(c)jj,d)jj)  t—  Com(crs“q,  Sub)  j),  where  Pa  is 
the  i’th  party  in  committee  £j. 

Output:  The  outputs  are  as  follows. 

All  parties:  msgJ+1,  {c)ii}ie[|£j.  |j 
Party*  of  fj:  Sub)i;  d)  , 

At  the  conclusion  of  the  WLR-MPC  execution,  each 
party  in  fj  erases  all  intermediate  values  generated 
during  the  WLR-MPC,  keeping  only  (Subj,i,  dj,,). 

2.  All  the  parties  of  fj  send  msgJ+1  to  all  parties  in  fj+i- 

3.  Each  party  in  fj  sends  all  new  commitments 
(c),i}ie[ \Sj\]  to  every  party.  If  any  disagreeing  values 
are  sent  by  parties  in  fj,  then  abort. 

At  the  conclusion  of  the  update  phase,  each  party  erases 
their  initial  input  together  with  all  intermediate  values  of 
the  update  phase. 

Figure  4:  Protocol  nupdate:  Update  phase. 
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as  shared  common  knowledge.  We  denote  this  ideal 
functionality  by  crs. 

Ideal  functionalities  in  Hybrid  2:  crs. 

Hybrid  3.  (CRS  simulation)  The  same  as  Hybrid  2,  except 
that  some  of  the  CRS  values  are  generated  using  the 
simulation  algorithms.  More  specifically, 


Explicitly,  FL  has  a  trapdoor  trap-*,  for  the  first  party 
of  each  committee  £j,  hardwired  into  it.  Just  as  Fpre, 
the  functionality  FL  takes  no  inputs;  it  samples  a  key 
pair  for  the  FHE  scheme,  evaluates  the  LDS  trans¬ 
formation  of  the  circuit  Decsk(-),  and  generates  secret 
shares  Subj,j  for  each  of  the  resulting  secret  modules. 
Further,  Fpre  honestly  generates  a  commitment 


•  For  the  first  party  in  each  committee,  its  crs  for 
the  equivocal  commitment  scheme  is  generated 
using  the  simulator;  i.e.,  for  each  such  party  Pi, 
(crsqq,  trap*)  i— >S|qs(lfc). 

•  For  each  malicious  party  Pi,  we  generate  its  crs  for 
the  NIZK  proof  of  knowledge  using  the  simulator, 
by  computing  (crs^izk,  trap^)  SnCirzk(lfe). 


( Cj,i,dj,i )  «—  Com(l  ,  Suby;) 

to  Subyj  as  usual  for  the  secret  share  of  all  but  the 
first  party  in  each  committee.  For  the  first  party  in 
each  committee  (which  is  assumed  to  be  honest),  FL 
generates  a  simulated  commitment 

(cj, i,d°i,d],i)  <-  5ec°m(crs^q,trapJ), 


•  The  crs  for  the  WLR-MPC  protocol  is  simulated 
by  computing  (crsw,trapw)  <e-  <S(f  (lfc). 

The  remaining  crs  values  are  generated  honestly,  as  be¬ 
fore.  We  denote  this  new  ideal  functionality  by  crsSim. 

Ideal  functionalities  in  Hybrid  3:  crsSim. 

Hybrid  4.  (MPC  security)  The  same  as  Hybrid  3,  except 
that  the  second  MPC  in  the  preprocessing  phase  (which 
generates  a  key  pair  for  the  FHE  scheme,  runs  the  LDS 
transformation,  etc)  is  replaced  by  the  corresponding 
ideal  (randomized)  functionality  Fpre.  Note  that  Fpre 
takes  no  inputs. 

Overall,  this  hybrid  is  the  same  as  the  real  world,  ex¬ 
cept  that  the  preprocessing  phase  consists  only  of  the 
execution  of  Elect  and  one-time  oracle  access  to  crsSim 
and  Fpre. 

Ideal  functionalities  in  Hybrid  f:  crsSim,  Fpre. 

Hybrid  5.  (WLR-MPC  security)  The  same  as  Hybrid  4, 
except  each  underlying  weakly  leakage-resilient  MPC 
execution  in  the  decryption  cascade  is  replaced  with 
the  ideal  functionality  F:l  that  accepts  inputs  from  all 
parties  in  £j  and  replies  with  the  evaluation  of  Fj  on 
these  inputs  (as  described  in  Figure  3).  Similarly,  each 
WLR-MPC  execution  in  the  update  phase  is  replaced 
with  the  ideal  functionality  Gj  that  accepts  inputs 
from  parties  and  replies  with  the  evaluation  of  Gj  on 
these  inputs  (as  described  in  Figure  4). 

The  adversary  no  longer  makes  leakage  queries  of  the 
form  Leak(j,F),  as  he  did  in  all  previous  hybrids.  In¬ 
stead,  leakage  queries  are  of  the  form  Leak(F),  and  are 
made  directly  to  the  ideal  functionalities  {Fj},{Gj}. 

The  corresponding  ideal  functionality  evaluates  the  queried 
function  L  on  the  collection  of  received  inputs  from 
parties.  As  before,  leakage  time  periods  span  from  the 
beginning  of  one  Update  procedure  to  the  end  of  the 
next,  and  the  adversary  may  make  no  more  than  A 
leakage  queries  in  any  time  period. 

Ideal  functionalities  in  Hybrid  5:  crsSim,  Fpra,  {Fj},  {Gj}. 

Hybrid  6.  (Equivocal  commitments)  Same  as  Hybrid  5,  ex¬ 
cept  that  the  ideal  functionality  Fpre  is  replaced  by  a 
slightly  modified  functionality  Fpre.  Loosely  speaking, 

Fpre  is  the  same  as  Fpre,  except  that  for  the  first  party 
in  each  committee  (which  is  assumed  to  be  honest), 

F’pre  generates  a  simulated  commitment  to  the  party’s 
secret  share. 


and  sets  djp  = 

Ideal  functionalities  in  Hybrid  6:  crsSim,  Fpre.  {Fj},  {Gj}. 

Hybrid  7.  (Equivocal  commitments)  Same  as  Hybrid  6,  ex¬ 
cept  that  the  ideal  functionalities  {Gj}  are  modified 
in  the  same  fashion  as  the  step  above.  Namely,  we  re¬ 
place  each  Gj  with  a  new  ideal  functionality  G)  with 
the  following  differences.  G)  has  a  trapdoor  trap",  for 
the  first  party  of  each  committee  £j,  hardwired  into 
it.  G}  accepts  the  same  inputs  as  Gj,  and  carries  out 
the  same  computation  as  Gj,  with  the  following  excep¬ 
tion:  For  the  first  party  in  each  committee,  instead  of 
honestly  generating  a  commitment  to  the  secret  share 
Subj^i,  the  functionality  G'j  generates  a  simulated  com¬ 
mitment  (cj,rq dj  ! , dj  x)  «—  5eqm(crs^q,  trap^),  and  sets 
dj, i  =  dj11]/’1 .  (Note  that  the  ideal  functionalities  {Fj} 
in  the  decryption  cascade  do  not  generate  new  secret 
shares  and  thus  do  not  need  to  be  modified  in  this 
fashion) . 

Ideal  functionalities  in  Hybrid  1:  crsSim,  F’pre,{F’j},{G'}. 

Hybrid  8.  (Binding  of  Com)  Similar  to  Hybrid  7,  except 
that  all  secret  shares  are  eliminated,  and  committees 
interact  directly  with  the  m  modules  (Subi,  ...,Subm). 
More  specifically,  the  following  changes  are  made: 

•  The  ideal  functionality  crsSim  is  replaced  by  a 
slightly  modified  functionality  crsSim',  which  ex¬ 
ecutes  exactly  as  crsSim,  but  in  addition  sends  to 
the  adversary  all  trapdoors  for  simulated  equivo¬ 
cal  commitment  crs  values  (for  the  first  party  in 
each  committee). 

•  The  ideal  functionality  Fpre  is  replaced  by  a  sim¬ 
ple  ideal  functionality  F},k  that  takes  no  inputs, 
generates  a  key  pair  (pk,  sk)  for  the  FHE  scheme, 
and  publishes  pk. 

•  The  sequence  of  ideal  functionalities  {Fj},{G}}, 
as  introduced  in  the  previous  steps,  are  replaced 
by  the  corresponding  (LDS  model)  interactions 
with  the  m  modules  (Subi, ...,  Subm)  generated 
by  the  LDS  compiler: 

(Subi, ...,  Subm)  C(Decsk(-)). 

Namely, 

—  The  decryption  cascade  takes  place  as  follows. 

For  each  j  =  1  beginning  with  £\  and 
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inputx  =  y,  all  parties  in  committee  £j  send 
inputs  to  the  corresponding  module  Sub.,.  If 
all  input, ’s  are  consistent,  they  receive  back 
inputj+1  «—  Subj(inputJ).  The  parties  of  £j 
then  send  inputJ+1  to  all  parties  in  the  next 
committee  £j+i,  who  (if  the  received  values 
are  consistent)  repeat  the  same  process.  At 
the  conclusion  of  the  decryption  cascade,  the 
parties  of  the  final  committee  £m  send  the 
resulting  value  inputm+1  (which  is  supposedly 
f(x))  to  all  parties. 

—  The  update  procedure  is  similar  to  the  de¬ 
cryption  cascade.  The  modules  execute  the 
LDS  update  procedure,  interacting  with  each 
other  via  the  committees  £1,  ...,£m- 

Instead  of  making  leakage  queries  to  the  ideal  function¬ 
alities  { Fj } ,  { Gj },  the  adversary  now  makes  queries  of 
the  form  Leak(j,  L),  and  receives  the  evaluation  of  L 
on  the  secret  state  of  the  jth  module,  Sub„.  As  before, 
leakage  time  periods  span  from  the  beginning  of  one 
Update  procedure  to  the  end  of  the  next,  and  the  ad¬ 
versary  may  make  no  more  than  A  leakage  queries  in 
any  time  period. 

Ideal  functionalities  in  Hybrid  8:  crsSim',  Fpk,  {Subj }. 

Hybrid  9.  (LDS  security)  Same  as  Hybrid  8,  except  that 
all  modules  Suh,  are  removed.  Instead,  parties  inter¬ 
act  with  an  ideal  decryption  functionality  DecSk,  as  de¬ 
scribed  below. 

In  the  preprocessing  phase,  the  parties  execute  Elect, 
and  are  given  pk  and  crs  values  (where  some  of  the  crs 
values  are  generated  with  trapdoors,  as  described  in 
Hybrid  3).  The  input  phase  takes  place  as  usual.  In 
the  online  phase,  for  each  function  /  that  is  queried 
by  the  adversary,  the  parties  homomorphically  com¬ 
pute  the  corresponding  ciphertext  y  =  Evalpk(a;, /). 
All  parties  in  the  first  committee,  £\,  send  y  to  the 
ideal  decryption  functionality  DecSk(-)  with  abort.  If 
all  received  y's  are  consistent,  the  ideal  functionality 
responds  by  sending  the  resulting  decryption  Decsk(j/) 
to  the  adversary,  where  sk  is  the  decryption  key  that 
was  generated  by  Fpk.  If  the  adversary  allows,  Decsk(i/) 
is  also  sent  to  all  honest  parties;  otherwise,  the  exper¬ 
iment  concludes  in  abort.  The  update  phase  no  longer 
takes  place.  No  leakage  queries  are  allowed  at  any 
point  of  the  experiment. 

Ideal  functionalities  in  Hybrid  9:  crsSim',  Fpk,  DecSk. 

Hybrid  10.  (Soundness/PoK  of  NIZK,  certifiability  of  FHE) 
Differs  from  Hybrid  9  in  the  following  ways: 

•  The  ideal  functionalities  crsSim',  Fpre,  and  the  ex¬ 
ecution  of  Elect,  are  removed  from  the  preprocess¬ 
ing  phase. 

•  The  input  phase  no  longer  takes  place. 

•  The  ideal  decryption  functionality  DecSk  is  replaced 
by  the  ideal-world  functionality  Evaluate,  which 
takes  input  Xi  from  each  party  and  evaluates  func¬ 
tions  /  queried  by  the  adversary  on  the  set  of  all 
parties’  inputs  x,  as  defined  in  Section  3.1. 


•  In  addition,  the  adversary  is  given  as  auxiliary 
input 

z!  :=  (pk,  {ah,  crSnizk,  7tj},^M) , 

where  (pk,sk)  <—  Gen(lfe),  and  for  each  honest 
party  Pi,  the  triple  (crs*izk,  ah,  7r;)  is  computed  us¬ 
ing  the  real  input  Xi  of  Pi.  That  is,  the  values  in 
the  triple  are  computed  by  crs*izk  <—  Gennizk(lfc);  n  <— 
R\  Xi  =  Encpk(xi;  n);  7Ti  <-  P(crs„izk,  (xi,  pk)(xj,  n)). 

Overall,  Hybrid  10  is  the  following. 

Parties  begin  by  submitting  their  inputs  to  the  ideal 
functionality  Evaluate.  More  specifically,  each  honest 
party  Pt  submits  his  input  x%.  The  adversary  is  given 
the  corresponding  auxiliary  input  z  ,  computed  as  a 
function  of  the  honest  parties’  inputs  {xt}i^M-  Upon 
receiving  z' ,  the  adversary  submits  the  inputs  of  ma¬ 
licious  parties  to  Evaluate. 

The  preprocessing  and  input  phases  no  longer  take 
place.  During  the  online  phase,  for  each  function  / 
that  is  queried  by  the  adversary,  Evaluate  responds  by 
sending  the  adversary  the  evaluation  of  /  on  the  set 
of  all  submitted  inputs  (xi, x„).  If  the  adversary 
allows,  the  evaluation  is  also  sent  to  all  honest  parties; 
otherwise,  the  experiment  concludes  in  abort. 

Note  that  Hybrid  10  is  nearly  the  ideal-world  experi¬ 
ment.  Indeed,  the  only  difference  is  that  the  adversary 
is  given  the  auxiliary  input  z' . 

Ideal  functionalities  in  Hybrid  10:  Evaluate. 

Hybrid  11.  (Security  of  FHE,  ZK  of  NIZK)  The  ideal  world: 
i.e.,  the  adversary  only  receives  f(x i, ...,  xn)  for  each  / 
selected  to  be  computed.  Note  that  this  is  the  same  as 
Hybrid  10,  except  that  the  adversary  no  longer  receives 
the  auxiliary  input.  (See  Section  3.1  for  the  detailed 
experiment). 

The  output  of  each  hybrid  experiment  consists  of  the  out¬ 
puts  of  all  parties,  where  honest  parties  output  in  accor¬ 
dance  with  the  dictated  protocol,  and  malicious  parties  may 
output  any  efficiently  computable  function  of  the  view  of 
the  adversary.  For  every  adversary  Ae  with  auxiliary  input 
2  £  {0, 1}*  running  in  hybrid  experiment  £  with  initial  in¬ 
puts  x,  we  denote  the  output  of  the  corresponding  hybrid  £ 
experiment  by 

HYB,  (^Ae,lk,z,{xi}7=1)  . 

It  remains  to  prove  that  for  every  £  =  0, ...,  10  and  for 
every  adversary  Ae  running  in  Hybrid  £,  there  exists  an  ad¬ 
versary  Ae+ 1  running  in  Hybrid  (£  +  1)  such  that 

HYB,  (Mr,lfc,2,{xi}fei)  »c  HYBm  (a1+1,  lk,  z,  {xi}?=i)  . 

Note  that  once  we  show  this,  the  theorem  will  follow,  as 
this  will  imply  that  for  each  adversary  A  in  the  real-world 
experiment  (Hybrid  0),  there  is  an  adversary  At  i  in  the 
ideal-world  experiment  (Hybrid  11),  such  that 

HYBo  [A,lk,z,{xi}^=  i)  wc  HYBn  (dii,lk,Z,{i,}"=1) 

as  desired.  We  defer  these  indistinguishability  proofs  to  the 
full  version  of  this  manuscript. 

□ 
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Glossary  of  Terms 


ABE 

BDD 

CPRF 

CRS 

CVP 

DDH 

FE 

FHE 

F-PRFs 

GCD 

HE 

HELib 

10 

Leveled  FHE 

LWE 

MPC 

Multikey  FHE 

NTRU 

PE 

PI 

PRFs 

PROCEED 

Ring  LWE 

RLWE 

SHE 

SIMD 

SIS 

SKI 

SSS 

SVP 


Attribute  Based  Encryption  Scheme 

Bounded  Distance  Decoding  Assumption 

Constrained  Pseudorandom  Functions 

Common  Reference  String 

Closest  Vector  Problem 

Decisional  Diffe-Hellman 

Functional  Encryption  Scheme 

Fully  Homomorphic  Encryption 

Functional  Pseudorandon  Functions 

Greatest  Common  Divisors 

Homomorphic  Encryption 

Homomorphic  Encryption  Library 

Indistinguishable  Obfuscation 

FHE  Evaluation  of  Circuits  of  a-priori  Bounded  Depth 

Learning  with  Errors 

Multi  Party  Computation 

Fully  Homomorphic  Encryption  utilizing  multiple,  unrelated  keys 

N-th  Order  Truncated  Ring  Encryption  Scheme 

Predicate  Encryption  Scheme 

Principle  Investigator 

Pseudorandon  Functions 

Programming  Computation  on  Encrypted  Data 

Ring  Learning  with  Errors 

Ring  Learning  with  Errors 

Somewhat  Homomorphic  Encryption 

Single  Instruction  /  Multiple  Data 

Short  Integer  Solution 

Symmetric  Key  Infrastructure 

Sparse  Subset  Sum  Assumption 

Shortest  Vector  Problem 


Approved  for  Public  Release;  Distribution  Unlimited. 

656 


